Gooken - ssl-encryption for your connection to the search-engine of Gooken
Gooken - addurl: add an URL of a website, even if it is not referring to our main themes
Gooken- code-integration of input-fields for words and text into your menus and websites
Gooken - download in the size of around some hundred KB only (some thought it were 100)
Gooken - high placement - if you want to place the index for your websites quit on top


starting situation | groundworking theory - the security-functions | The essential idea | ISO-LSB-OpenSource with Changelogs | beautiful KDE (4.4.5, mdv, el6: "The cows are prettier than the girls!") | Hardware: driver, support, hardware-databasis | SSD optimization | seachengine/Gooken | data bases | anonymous proxy | fundamental theory | security concepts | data backup and restore | Ad- resp. Scriptblocker: blocking everything | (no) updates (at last up from year 2026, "UNIX", german: "you? no.": Miro´s suneater has spoken so far, hugh!): "UNIVERSAL-LINUX" on the DAILY UPDATE-PATCH-CHANNEL (el6, el7, rosa2014.1) | Secure and stable "Universal-Linux": updates and actualizations for Enterprise Linux (el) resp. Fedora Project resp. CentOS 6 (el6) and Mandriva | emulation of MS Windows | No Defragmentation essential | News&Links: Security for MS Windows | News&Links: Security for Smartphones | update firefox | msec-security-levels ( no-remote-root-login, no root-login, ... and | msec -MAC Tomoyo-Linux (mdv2010/el6) - Advanced Acess-Control for the process-interaction | Ordinary access control as part of msec |

1000% Sicherheit: nach Gooken immer ganz konkret - nicht nur für Linux, sondern auch für MS Windows und Smartphones (Sektion Smartphones abermals siehe Menü links) - ob Android oder iPhone!alue">ACL - Advanced Access Control on files and directories for user and groups to prevent brakes for example |
/etc/passwd - allen entkommen: no login-shell accessible | Linux-Sandboxes: docker and firejail: to start programs going online | Root-Partition with enough memory free | Root-Partition read-only | New Kernel - Howto install and Howto patch Kernel-Source | full system encryption (FSE) by LUKS | encrypting methods | LAN: connecting Linux- and Windows-hosts, file release | anti-hacker and anti-trojan iptables/Linfw3 | additional filter-concepts | Konqueror: integrated script- and adblocker, importable filter list from our update-side | system integrity check: IDS (intrusion detection systems): incron, iptables by psd (linfw3), aide, ... | installation following rootkit-scan | Session | Anonymized (and encrypted) name resolution without censorship and surveys by DNS-Proxy pdnsd with dnscrypt-proxy and /etc/hosts | Goal or own goal (Tor oder Eigentor)? TOR, the onion-router: Anonymization-Network | Program troubleshooting | Network Troubleshooting | News&Links: network-security | X-Troubleshooting (x11-server) | Printer Troubleshooting (CUPS), Clever and Smart: All for the "little elephant" | News&Links: All (and more) about the computer, repair, network, printer, tips and tricks, more Troubleshooting | single methods and repair | WLAN | CIAO hardware-problems! Just hot and still functioning today: datasheed "certified lifetime-hardware" (energy saving, mouseclick-fast): Operating System: mdv2010.2 updated with CentOS/EPEL (el6, el7) and Rosa on the update-channel, All-in-one-Mainboard (Mini-ITX-220/ASUS-Express 945GC/ICH7 (2009/2010) with classical 1,2GHz-64-bit-Celeron-CPU up to 8 GB DDR-2 and INTEL GMA 950, 82945G/GZ Integrated Graphics Controller, max. 224MB 4800×1200 px, Atheros-Gigbit-Ethernet-LAN-Chip, VIA VT 1705 High Definition Audio-6-Kanal-HD-Azalia-Audio CODEC Soundsystem, 19W, socked and crashfree EZ-Bios AMI, 6×USB 2.0, MS Windows 7- and Linux-tested, 29,95€), 18,5 inch (48 cm) Ultraslim WLED-TFT-Monitor Brilliant Display (18W, 95€), SSD (1W, 128GB, 30&euro,), Steel-Computer-Tower with tower-cooler and front-LEDs, 4,95€, netadapter SL-A 500 W (19,95euro;), ...| Hardware (quit) for free | Hardware for free | Energy power for free (pyhsical motion incl.) | World culture shame: Defrustration and dereaction for free | Sex for free | money for free, country for free ("A revolution never took place", Niko.L.), system for free (FED, EZB, Draghi & Co.) | Everything for free | Complains and ads for free | mdv2010-final: Printer, Printer-Troubleshooting | MS Windows: Tips and Tricks for more security | More than 1000 Linux-Top-Games (mdv2010 resp. rosa2014): OpenGL, SDL, PyGames and more | mdv-2010-final: Software (65 GB + 50 GB (26 DVD ) | CIAO hardware-problems! mdv-2010-final: powersaving hardware (stable and mouseclick-fast) | News&Links#Computer | Everlasting Browser Konqueror: Download Konqueror-Update ( all rpm-based distributions? )| Computer | Monitor | Printer / Drucker | SSD | Network / Netzwerk | Smartphone | MS Windows Advertisement | spends, thanksgiving and quiz | Society - Computer - The Huge Fun of Sun Eating | Society - Niue-Muenzen - Pay with Mickey Maus! | No Horror in Sodom and Gomorrha: Weak point human ( technical and human failures: weak point human, weak point interest-groups, interest conflicts, EU-lobbyism, weak point western countries, weak point "Germ-any" and other western countries ) - Society Report, Part 1-6 | Society, Part 2 - Crawler´s Century (Book) | Society Part 12 - (Forbes) - She got eyes of the bluest sky - and when there comes the rain ... ( open eye sleeping performances and arts ) - wet, wet, wet! | Beauty on Gooken: 1000× more beautiful than you: Marching to die - Narcissism into death Ads | ... unimprovable? News&Links | BACK

Welcome, "Willy, go!"

"More respect for one old people´s nurse than for the bosses from industry all together", seen in the Facebook-Profil from a Maja Schmidt, 01.18.2021
"Each old people´s nurse does perform more than all investment bankers together."

Passage from Stefan Klein of today I´m extrabreit in year 1986: "Amis forces us to buy, all the scrap, that we don´t need."

Der insanity of the world: The decline of tthe TPTB (the powsers, that be): nuclear power stations, weapon deals, environmenet pollution, corruption, lubbyism, ...: The reigning class smells its decline approching - and wants to cause msichief as much as possible, Kolumne, Spiegel Online, 08.24.2015

The "european leader" are ready to destroy their own continent, in order to please their american masters
Past France, Netherlands are ready to send their amriy to Ukraine
,, 29.02.2024

Focus, August 2014: The former ARD-Tagesschau-spokeswoman Eva Hermann bloggs for the russion sender "Voice of Russia". In her newest article she explains, why war between the great power USA and Russland were implaceable. The reason: "They certain need money - for what they would do everything. Bankrupt USA provokate Russia so long, until war takes place.", click here

Reagan´s world of starving bank directors and weeping bailiffs (-> Rio Reiser the 80th) Because of high demand - empty store in Eastern Gemany: Russia discount must close temporarily for the next time,, 02.04.2019

Aus seiner (Reagans´) Welt der hungernden Bankdirektoren und weinenden Gerichtsvollzieher, Rio Reiser, the 80th

niue-muenzen ... and if, such decades ago, even my own mother meant... / ... und wenn vor Jahrzehnten sogar die eigene Mutter zum Thema Maja Schmidt schon meinte ( ist das aber fertig: die eigene Mutter dann auch noch, das kriegt ihr aber wieder...!):

"We are no present-give-away-institution for the Germans and no social station of the USA. / Wir sind keine Verschenkanstalt (Deutschland, Reagans Westen alias ( das vermeintliche ) Judas Judäa) der Deutschen und keine Sozialstation der USA (Asoziale) !",

dann frage ich mich ( schau an: Die eigene Mutter meinte das allein aus sich heraus sogar, echt Seltenheitswert, da denkt man, das gibts doch wohl gar nicht, die eigene Mutter auch noch ... ), ob und inwiefern das eigentlich nicht stimmt.

Up to now she uses neither smartphone nor computer: This is the best, one can do (if possible). It´s so ridiculous. How right she is !


1981, 1982, 1983: Der Elefant macht ernst! Inmitten auf dieser ach so verratenen und verkauften Welt: Clever und Smart, USA, N.Y., 1983:Null Problemo: "If you do not know, how to go on, you have two possibilities: either you explode, or you cry for help. / Wenn man nicht mehr weiter weiß, hat man zwei Möglichkeiten: entweder man explodiert oder schreit nach Hilfe" (Magnum, TV-Serie, Januar 2016).

Science in comics: When research scientists speak in bubbles,, 06.12.2023
Ob Atomkraft oder Klimawandel - die Szene der Comiczeichner hat diese Themen für sich entdeckt. Gerade trifft sie sich zum Münchner Comicfestival. Auch Forscher nutzen das Medium, um ihre Inhalte zu erklären.

Gooken - independent - fairminded - impartial - facts based - opinion friendly Reports from our websides must not present our opinion, Red., Gooken, 2017. "We are not supported by clubs, associtains, parties or lobby groups. We do not shift advertisment, we do not annoy with bothersome pop-ups or force our visitors to deactivate the adblocker. Support us for our Independency!"

USA/The Empire - depopulation programs?, from Gooken-News&Links: and other news

rC3: Cory Doctorow warns against the "digital equivalents with the atom bomb",, 01.03.2020
Der Science-Fiction-Autor Cory Doctorow hat auf dem remote Chaos Communication Congress (rC3) am Sonntag schärfere kartellrechtliche Vorgaben insbesondere für interoperable Online-Dienste gefordert, um den Wettbewerb im digitalen Zeitalter zu erhalten. Mit den fünf Größen des US-Überwachungskapitalismus - Google, Amazon, Facebook, Apple und Microsoft (GAFAM) - seien "die schlimmsten Albträume" der frühen Verfechter von Bürgerrechten im Internet wahr geworden. Ein politisches und rechtliches Gegensteuern sei daher überfällig.

"They destroy and rob EVERYTHING !!! The health, peace, children, elder ones, joy, the last shirt!, Pia Berling @, 08.21.2020, Profil auf Facebook,
"Versteht ihr Systemschaafe noch immer nicht, woraus es hinausläuft? Das C-Phantom nur ein Vorwand ist, um ALLES zu zerstören?
Ihr Wachkomaschafe werdet euren realen Albtraum noch erleben - aber nur einen Sekundenbruchteil, bis ihr in der wahren Realität- Hölle dieser Welt erwachen werdet.
Abermillionen Menschen werden sterben, abermillionen werden Selbstmord begehen, abermillionen werden ihr Hab und Gut verlieren, abermillionen werden durchdrehen, abermillionen werden verhungern, abermillionen werden dauerhaft krank sein... der Rest, der es überleben und überdauern soll, wird für die Menschenhasser die lebenden Zombies und die Sklaven sein!
Steht endlich auf? Auf was wartet ihr eigentlich noch, dass dies alles nur zu unserem Wohle geschieht, dass Politiker es gut mit uns meinen, dass die Dame oder der Herr bei den Systemmedien euch um 20h die Wahrheit erzählt?! Dass die meisten Ärzte euch etwa heilen wollen, dass Lehrer euch die Wahrheit lehren?
Wissenschaftler über alles erhaben sind?
Ihr erwartet, dass der Pfarrer am Sonntag euch ein Kuschelevangelium predigt - welches weichgespült ist und nicht der Wahrheit entspricht!
Geht raus aus der Wohlfühlzone und schützt wenigstens eure Kinder vor den Menschenfresser und Seelenvernichtern!!"

Computer technology - mobil phone
The most dangerous technology ever invented - partl II
, Artur Firstenberg @, 10.31.2021
[...] Die größte Lüge ist, dass es sich hierbei um "stromsparende" Geräte handelt, und dass; sie deshalb sicher sind. Das ist eine doppelte Lüge. Es ist eine Lüge, weil sie nicht stromsparend sind. Wenn Sie ein Mobiltelefon - egal welches - in der Hand oder an Ihren Körper halten, werden Sie von Ihrem Telefon mit mehr Mikrowellen bestrahlt als von jedem Mobilfunkmast und mit zehn Milliarden Mal mehr als von der Sonne, der Milchstraße oder anderen natürlichen Quellen. Die von der Federal Communications Commission* festgelegten Expositionsrichtlinien spiegeln diese Realität wider: Mobilfunkmasten dürfen Ihren Körper mit einer festgelegten Absorptionsrate von 0,08 Watt pro Kilogramm belasten, während Mobiltelefone Ihr Gehirn mit einer spezifischen Absorptionsrate von 1,6 Watt pro Kilogramm belasten dürfen, was dem Zwanzigfachen dessen entspricht.

Bitkom presents numbers and amounts
206 billion Euro harm because of cyber crimes the year
,, 09.01.2023
Durch Diebstahl von IT-Ausrüstung und Daten sowie durch Industriespionage und Sabotage entstehen der deutschen Wirtschaft dieses Jahr 206 Milliarden Euro Schaden. Das ergab eine Bitkom-Umfrage. Immer mehr Attacken kommen aus Russland und China.

Cybercrime in Germany: eight of ten companies are affected,, 12.04.2023
Immer mehr Unternehmen in Deutschland sind von Cybersicherheitsvorfällen betroffen. Laut einer aktuellen Umfrage mussten 81 Prozent der deutschen Unternehmen in den vergangenen zwei Jahren mindestens einmal auf einen gravierenden Sicherheitsvorfall reagieren.

OKHow I prepare myself for the war, T.H.G.,, 11.10.2023
Von Daisy Luther
Wir alle hoffen, dass die Welt wieder einmal einer Kugel ausweicht und nicht in den Dritten Weltkrieg stürzt. Aber es sieht nicht gut aus. Abgesehen von den Spannungen im Nahen Osten, in die wir nicht direkt verwickelt sind, haben die USA gestern Abend als Vergeltung für die jüngsten Angriffe auf amerikanische Soldaten in der Region Luftangriffe in Syrien gegen vom Iran finanzierte Milizen durchgeführt. Und dann ist da noch der Ärger im Innern - wir können uns auf nichts einigen, jeder streitet über Israel gegen Palästina, und diese Einschätzung legt nahe, dass wir auch reif für einen Bürgerkrieg sind.
Das alles liegt natürlich nicht in unserer Hand. Die Entscheidungen, sich an globalen Konflikten zu beteiligen, werden nicht von Leuten wie uns getroffen, und ein Bürgerkrieg ist eine ganz andere Sache. Was kann ein Prepper also tun?
Nun, wir können die Trommeln des Krieges nicht aufhalten, aber wir können uns auf ihn vorbereiten.
Warum ich mich auf den Krieg vorbereite
Ein Freund von mir hat sich mit den Engpässen im Zweiten Weltkrieg beschäftigt, und das ist ein guter Ausgangspunkt. In Amerika waren wir mit der Rationierung von Dingen wie Lebensmitteln, Schuhen, Metall, Papier und Gummi konfrontiert. Priorität hatten die Soldaten, und was übrig blieb, wurde unter den Zivilisten aufgeteilt. Ich bin mir nicht sicher, ob wir dieses Mal genau die gleichen Engpässe haben werden, da der Krieg, wie viele andere Dinge auch, in das digitale Zeitalter übergegangen ist, aber die Soldaten werden immer noch Lebensmittel, Schuhe, Gummiwaren wie Reifen und Metall für die Herstellung von Fahrzeugen und Waffen benötigen.
[...] Kommunikation
Stellen Sie sich vor, Sie befinden sich in einer Situation, in der Sie wissen, dass das Land überfallen wurde, aber die Telekommunikation ausgefallen ist. Ihr Telefon funktioniert nicht, im Fernsehen gibt es keine Nachrichten, und es gibt kein Internet. Sie MÜSSEN in der Lage sein, zu kommunizieren und zu erfahren, was vor sich geht, damit Sie Ihre Familie in Sicherheit bringen können. Sie werden nach Ihren Lieben in der Ferne sehen wollen.
Amateurfunk ist die Antwort. Aden stellt in diesem Artikel einige kostengünstige, einfache Geräte vor. Ich arbeite daran, meine Lizenz zu bekommen, indem ich seinen Studienführer benutze, den ich hier gefunden habe (er ist großartig!), und schließlich kann ich sein Buch über Notfallkommunikation hier lesen.


Confiscated smartphones: a crime of unknown dimension,, 30.10.2023
Den Innenministerien fehlt der Überblick, wie oft ihre Polizeibehörden Smartphones beschlagnahmen. Eine verlässliche Statistik über den tiefen Grundrechtseingriff fehlt. Juristen sehen noch weitere Probleme im Umgang mit der Ermittlungsmaßnahme.

OKThe most dangerous technology ever invented - partl II, Artur Firstenberg @, 10.31.2021
[...] Die größte Lüge ist, dass es sich hierbei um "stromsparende" Geräte handelt, und daß sie deshalb sicher sind. Das ist eine doppelte Lüge. Es ist eine Lüge, weil sie nicht stromsparend sind. Wenn Sie ein Mobiltelefon - egal welches - in der Hand oder an Ihren Körper halten, werden Sie von Ihrem Telefon mit mehr Mikrowellen bestrahlt als von jedem Mobilfunkmast und mit zehn Milliarden Mal mehr als von der Sonne, der Milchstraße oder anderen natürlichen Quellen. Die von der Federal Communications Commission* festgelegten Expositionsrichtlinien spiegeln diese Realität wider: Mobilfunkmasten dürfen Ihren Körper mit einer festgelegten Absorptionsrate von 0,08 Watt pro Kilogramm belasten, während Mobiltelefone Ihr Gehirn mit einer spezifischen Absorptionsrate von 1,6 Watt pro Kilogramm belasten dürfen, was dem Zwanzigfachen dessen entspricht.

US-West-Nix-Niue (sincet Reagan) - Worse than Stasi ago allowed:
Spongebob - TV-Comic-classic Spongebob Spongebobhead - The Autopilot

Video on Facebook

OK"Human trafficking like cattle"
"We, the exploited": on the way to "Soylent Green"!
,, 11.23.2023
Secret services/NSA/monitoring/bigdata
John Whitehead vividly explains the basic features of the scientific dictatorship and the digital panopticon that forms the control network. The government is the scapegoat for Big Tech, the driving force behind technocracy. You will see how we are made, shaped and pressed into products that are then fed back to ourselves ... like Soylent Green. Technocrats have used governments to release Tornado´s endless data that are fed into AI programs. Patrick McGoohan, Creator and Star of the Miniserie The Prisoner from 1967, was ahead of his time when he said: “I don´t let myself be pushed, classified, stamping, inducing, letters, questioning or numbering. My life is my life. ”⁃ TN editor
The Americans have become a slight prey for hackers, fraudsters, spies, spies and swindler.
But don´t believe that the government protects it.
On the contrary, the US government sells us (or better our data) to the highest bidder.
Incidentally, these highest bidder also includes America´s political class and the politicians who want to be elected or re -elected. The Los Angeles Times reports: “If you have participated in a political rally or a citizens´ meeting or just fit into the target group of a campaign, the chances are good that your movements will be followed with worrying accuracy of data providers on the list of campaigns stand.
They sell their phones, televisions and digital devices to politicians who want their voice.
“Welcome to the new world of campaign technology, in which downloading a weather app or a game, making a Wi-Fi connection in a café or switching on a router at home can make it easy for a data broker to monitor your movements To collect your location data and sell you to a political candidate who can use them to bomb them with messages, ”writes journalist Evan Halper.
In this way, “we, people”, were degraded into economic units that can be bought, exchanged and sold by everyone and everyone.
Every day, the Americans are forced to reveal the most intimate details of their personality -their biological constitution, their genetic blueprints and their biometric data (facial features and structure, fingerprints, Iris scans, etc.) -to find their way into an increasingly technological world.
In turn, these intimate details have become building blocks of huge databases to which the state and its criminal partners have access to business and which are susceptible to data breakdowns by hackers, cyber attacks and espionage.
For years, the government has been building huge databases with all possible sensitive information about the citizens without real control or restriction.
Biographical information. Biometric data. Prevent. Travel records.
There is no person in the United States who are not recorded in one or the other state database, and these databases are increasingly being used by authorities, merger centers and the police.
In addition, the government has expanded its huge inventory of data about Americans by purchasing commercially available information (Commercial Available Information, CAI) of third -party providers with little control and little guidelines. A report by the Office of the Director of National Intelligence revealed:
[Commercially acquired data] can reveal sensitive and intimate information about personal characteristics, private behavior, social relationships and language of US citizens and non-US citizens. They can be abused to penetrate privacy, ruin the call, cause emotional suffering and to threaten the safety of people. Even if it is subject to adequate controls, the CAI can raise the possibilities of the government to penetrate private life to a level that goes beyond our constitutional traditions or other social expectations.
In other words, it is the devilishly understood way in which the government tries to avoid the fourth constitutional addition that stipulates that government officials must have a sufficient reason and a search order before spying on Americans or browse and confiscated their private property.
It is bad enough that the government creates huge databases with our personal data without our knowledge or our consent, but then they are also hacked and we have to suffer.
At the beginning of this year, for example, several federal
Authorities, state governments and universities aim of a global cyber attack that endangered the sensitive data of millions of Americans.
Did the government prevent this from further expanding these databases that endanger our privacy and security? No of course not.
In fact, the government also sold our private information. According to VICE, the states´ car authorities have sold the personal data of drivers "to thousands of companies across the country, including private investigators who spy on people for payment".
Where a will is, there is also a way and the government is a master in finding loopholes to exploit its citizens.
In 1994 the Congress adopted the Driver´s Privacy Protection Act (DPPA) to prevent the transfer of personal data, but that did not prevent the state traffic authorities from selling millions (names, birth data, addresses and cars, to earn third parties.
This is only a small part of how the state buys its citizens and sells to the highest bidder.
The reason is always the same: it´s about profit and power.
Welcome to the era of surveillance capitalism.
Have you ever bought from Whole Foods? Practiced the target on a shooting range? Drunk a coffee at Starbucks and surfed on the Internet? Visited an abortion clinic? Seen Fox News or MSNBC? Candy Crush played on her cell phone? Schlendert by a shopping center? Passed on a government building?
This is all necessary to collect, sell and use your data to address you.
Incredible: Once you have been identified and persecuted, data dealers can digitally travel back to find out where they were, with whom they were together, what they did, what they read, saw, bought, etc.
As soon as they are identified in this way, they can be followed endlessly.
Nobody is spared.
In this regard, we are all the same: We all suffer from the humiliation that every piece of privacy is stolen from us and the most intimate details of our life become food for marketers and data professionals.
This scary new era of profit -oriented surveillance capitalism, in which we overheard, observe, persecute, cartographed, bought, sell and target, is enabled by our cooperation. Think about it.
Every movement you make is monitored, searched for data, analyzed, analyzed and saved to get an idea of who you are, how you tick and how to best influence and/or control it.
With every smartphone we buy, with every GPS device that we install, with every Twitter, Facebook and Google account that we open, with every customer card with which we go shopping-whether in the supermarket, in yogurt -Saden, at the airline or in the department store- and with every credit or debit card with which we pay for our purchases, we help American companies to create a dossier for their government partners, who we know, how we think, how we think our money Spend and how we spend our time.
The technology is now so far advanced that advertisers (political campaigns are among the worst taverns) actually "digital fences" around their home, their workplace, the houses of friends and relatives and other places they can visit to build them Bombarding with tailor -made messages that aim at a certain result.
If someone was bothering us in this way - by following us at every step, listening to our calls, reading our correspondence, reading, spying on our secrets, creating profiles of us and targeting us because of our interests and activities - we would call the police .
Unfortunately, police officers (who are equipped with Stingray devices and other tensioner technologies) are also involved in this special fraud.
It is not just the surveillance and the purchase and sale of your data that give the reason to worry.
The effects of a government -whatever kind -that has so much unregulated and non -accountable power to pursue their citizens, to pursue, pursue together
And to arrest are more than scary.
Just imagine what a totalitarian regime like Nazi Germany could have done with such a power.
Imagine what the nearest police state will enter into the footsteps of Germany with this type of power. Society definitely moves quickly in this direction.
We made it so easy for the government to monitor ourselves.
The government´s eyes see each of your steps: what you read, how much you spend, where you go, with whom you run with, when you wake up in the morning, what you see on TV and read on the Internet.
Every movement that you make is monitored, searched for data, evaluated, and brought in a table to get an idea of who you are, how to tick and how best to control it if necessary, you to bring on line.
As the Washington Post reports, it is likely that they have already received a color -encoded threat - green, yellow or red - so that the police are informed about their potential tendency to unrest, depending on whether they have had a military career behind them have posted as a threatening comment on Facebook, suffer from a certain illness or know someone who knows someone who might have committed a crime.
In other words: You could already be marked as potentially anti-government in a state database-for example in the main core database-that identifies and persecuted people (to arrest them in an emergency) who do not bow to the police state dictation want.
The government has the know-how.
As The Intercept reports, the FBI, the CIA, the NSA and other government agencies are increasingly in and rely on surveillance technologies of companies that can analyze constitutionally protected statements on social media platforms such as Facebook, Twitter and Instagram to provide potential extremists Identify and predict who could behave hostile to government in the future.
Monitoring, digital stalking and data mining of the American population - weapons of conformity and control in the hands of the government, especially if the government is able to listen to telephone interviews, monitor driving habits, pursue movements, to pursue purchases Control and peek through the walls of the house - lead to a society in which there is little space for indiscretions, imperfections or acts of independence.
This is the uncanny, calculating and at the same time devilish ingenuity of the American police state: the technology that we celebrated as revolutionary and liberating is to our prison, prison attendant, probation helper, stalker, Big Brother and Father - everything in one Person.
As it turns out, we are Soylent Green.
The film of the same name from 1973 with Charlton Heston and Edward G. Robinson in the leading roles plays in 2022 in a overpopulated, dirty and starving New York, the residents of which are dependent on the survival of synthetic food that is made by the Soylent Corporation.
Heston plays a policeman who determines in a murder case and finds out the cruel truth about the main component of Soylent Green, the main source of food for the starving population. "They are people. Soylent Green is made of humans, ”explains Heston´s character. “You make our food out of people. Next they will breed us like cattle to feed us. "
How right he is.
Soylent Green indeed consists of people, or in our case, Soylent Green is our own personal data that is confiscated, re -packed and used by the company and the government to catch us.
We are also bred like cattle, but not to eat.
Rather, as I am in my book Battlefield America: The War on the American People and his fictional counterpart The Erik Blair Diaries, are bought, branded, branded and sold because of our data.
Since the insidious partnership between the US government and the American company becomes more invasive and subtle from day to day, there is practically no way to escape these attacks on digital privacy, unless you are a modern Luddit that is completely decoupled from any technology.
What we urgently need is an "Electronic Bill of Rights" that protects "us, the people" from predatory surveillance and data processing business practices.
Without constitutional protection against interference in our rights in the electronic area, it will not take long for us to long for a time like Edward G. Robinson´s figure in Soylent Green, in DE. We could talk who we wanted to buy with what we wanted, could think of what we wanted without these thoughts, words and activities of corporations like Google, processed, processed and saved, to government agencies such as the NSA and the CIA sold and used by a militarized police with their army of futuristic technologies against us.

This online-excursion is not suitable much for smartphones. Please start it on a PC!
But if you want to go on with your smartphone inspite of this, your smartphone-browser might still consist of code-errors or code-failures, by not presenting this webside in the full width of 100%. In this case, please touch the free place at the right of the side two times. Now this webside should fullfill the whole screen-width.

supportGooken - the at times breaking full, large "china restaurant"... Do you want the everlasting peace with your computer as a system (backported Fedora Core (fc): updates from year 2010-2026 resp. lifetime) with covering software (backported too) on powersaving and cheap lifetime-hardware, providing the incredible high security level? Contribute to Gooken for the manufacturing of the (consistent) IT-security-standard! For correspondent please click here!

Spend or pay Gooken by :

Spend or pay Gooken by Please click here!

Customer support (this might include customer service and customer care too
The starting situation: The information flow of new hard- and software routes almost to manufacturer, companies and authorities by default (default settings), especially those right from USA (and from itself it might be NY).
Depending on the hard- and software, you as a customer can more or less restrict, even if not forbid this way, but only, if you really want to, by following the steps of our excursion for computer and smartphone ( similar for other devices too) stepwise green hook by hook (what might costs some efforts...).
Notice, that guarantee of manufacturers might run off during it in some, quit seldom cases like unscrewing any devices and unlocking the bootloader of a smartphone, in order to root it.

In advance:

OKWho can see your browser history and the websites you visit?, Marko Grjuic,, 02.06.2023
Protect yourself from snoopy eyes online!
Whenever you are online, there are tons of parties trying to spy out you, from Websites, you visit, up to governments and search engines like Google. Even the internet provider can see plenty of what you are doing online. It becomes more and more important to protect from parties, spying you out.

OKWhat does your internet provider know about you?, Marko Grujic,, 01.10.2023
He probably knows more about you as you thought of. He sees:

The domains, you visited
The sides you visit (for example the videos, you see)
All information you entered into websites.

There is a simple possibility to protect from spying providers: VPN. A VPN hides the IP-address and encrypts your online data traffic, so that it isn´t readable for your ISP and third parties. More options are:

The usage of a proxy-server
The Tor-Browser
... Tor-Browser: Threefold protection against your ISP?
The Tor-browser is an excellent for protecting privacy. Correctly applied and configured, the ISP can not see anymore, what you are doing only in practice. The Tor-browser leads all internet traffic through three at least three of a high amount of server from all over the world.
At each server (node, relais) the data traffic gets encrypted again, so that the data traffic gets extremly high protected. For even better protection we recommend the combination of Tor and VPN ( ... already both in one: Orbot (Tor), remark, Gooken ).

From News&Links

Probably satire, remark by Gooken:

A conversation in Davos spyed out in a adjoining room
,, 15.02.2023
Bill Gates: Diese neue Betrugsdemie - ich meine Pandemie - wird ein echter Humdinger werden.
Klaus Schwab: Ein echtes Prachtexemplar.
Yuval Harari: Was ist ein Humdinger?
Tedros Ghebreyesus: Ein Killer, könnte man sagen. Wir haben die Impfstoffe, die Killshots parat. Und wir werden alle billigen alternativen Therapien, die funktionieren, unterdrücken, verleumden und verbieten - genau wie wir es mit der Covid-Operation getan haben.
Gates: Ganz recht, Tedros, die Impfstoffe sind einsatzbereit! Dieses Mal werden wir vielleicht 2-3 Milliarden durch Impfungen verursachte Todesfälle und Verletzungen erleben. Der Covid-Betrug, ich meine die Pandemie, war eine Aufwärmübung. Alles, was wir jetzt tun müssen, ist, das nächste weltzerstörende Virus anzukündigen. Dabei kann es sich um ein theoretisches Computermodell handeln - genau wie bei Covid-19, das nur als Computersimulation existiert, die von unseren Partnern in China bereitgestellt wurde. Dieser nächste "große katastrophale Virus" wird von… nun, das werden Sie noch früh genug herausfinden.
Albert Bourla (CEO von Pfizer): Absolut fantastisch!
Anthony Fauci: Ich komme dafür aus dem Ruhestand.
Harari: Ich werde ein neues Buch über den unaufhaltsamen Lauf der Geschichte schreiben. Es wird ein weiterer New York Times-Bestseller werden.
Gates: Das Beste von allem ist, dass wir die heilige, heilige, immer schädliche, nicht zugelassene mRNA-Technologie in das Trinkwasser der Welt eingebracht haben.

Hersh in an interview: "I would ask german chancelor Scholz many questions", 16.02.2023
A worth reading interview with Seymour Hersh by the Berliner Zeitung.
Quelle: Berliner Zeitung and

Kim Dotcom: States secrets are onle secret for usual humans, not for the nations involved in the global cyber war,, 04.11.2022
"Top secret" doen´t mean for the worldwide best spy agencies anything. Secrecy is only there, in order to keep populates in the dark.
[...] Let me explain it four you:
Alle big technical databases are equipped with backdoors by all the biggest spy agencies. Each smartphone is on open microphone for them. Each computer connectd in the net, gets opened. All important chips and the most hardware gets equipped with trojans. All data, a spy agencies does collect, gets stolen by the others.
The commiters of main events know, that their opponents do know exactly, who it was, and that it is a game, they play against eachother on the costs of normal people getting victims of stupid contests. It is a secret war during the last decades.
In former times I was a hacker, became a consultant for data security, hiring the worldwide best hacker and getting paid by Fortune-500-companies, to hack them. We never got a customer not getting hacked successfully. That is the truth. There does not exist any effective data security. All is wide open.
Spy agenencies with budgets of billions do have programmers in all leading technology companies, building backdoors into programs. It´s impossible to keep them secret. Competing agencies, cybercriminals and security experts find them. For this reason security patches have to be installed again and again.
I know exactly, how this all functions, and as the NSA worked together with the partner agency GCSB in New Zealand, in order to spy out my devices (in a copyright matter), I catched and unmasked them right before law, in order to enforce a change of the law, so that the primary minister has to excuse himself for it in front of my own.
All state leaders are in the visor of the spy technique,and noone else, even not the US-president, does not get eavedropped by serveral foreign and domestic agencies around the clock. Even encrypted devices put state leaders by them at disposal, do have backdoors. That is the reality.
In zero-technolgy-environments some confidential talks are possible, but they belong the the seldom exceptions.

Cyber security endangers like never before
,, 10.25.2022

From News&Links#Windows and News&Links#NSA&Co.
OKAllicance: Five Eyes, Nine Eyes, ...
"We kill people on the base of meta-data"
Hacking and Eavesdropping
,, 24.02.2020

Hacking is his job: programmed (in-)security
11KM: the tagesschau-podcast
,, 02.28.2023
Benjamin Gnahm is a hacker, belonging to the international hacker elite. ... Documentation about him: With hacking to the top money earners:

Step 1 - Information technology and society - IT security, applied security in the information technology, multiple protection - The Basic Security Level, report from, the meta and local internet search engine

Gain your trust back, and gain the trust in you back!

1000% security for your computer:05.26.2020, since 2010: Computer without needing any care: (paranoid-) secure and standarded stable computer-system, self-repairing, free from wide restrictions, total free from maintenance, surface covering opensourced software, with emulators and virtual machines of many operating systems, always mouseclick-fast (free from hacker and trojan etc.), most comfortable, endless durable (lifetimed soft- and hardware), power-saving, free from royalities and all in all (quit) for free; presented by Gooken
For beginners and advanced on their look out for the really secure solution up to the expert for formulation of high-end ones


With this firewall you WON´T GET ANY HACKER, TROJANS AND SPYWARE anymore!

The general authorized superuser root (of foreign systems) does not have any rights anymore, what is performed by Linfw3 ! Even the X-Server (X, X11) and all other device drivers can not do any unwanted communication over the net anymore!

Together with it and the steps in this excursion, not any system and user passwords can be cracked anymore, even if known by other ones!

Browser-extensions and settings in user.js free from all tracking scripts, webbugs, adware, localization, unwanted connections and further on, this means from all risks completely for browser like Mozila Firefox and the upon Firefox 29 resp. 36 or Firefox Quantum working, always well patched Pale Moon!

OKOnline Banking and Online Shopping etc. with internet-browser Pale Moon, Text by Gooken, 06.12.2023
Online-Banking und Online Shopping etc. mit dem Internet-Browser Pale Moon
For online banking and shopping like Ebay create one more new profile as free from Pale Moon- and Firefox-extensions as possible.
Für Online-Banking und Online-Shopping etc. wie z.B. auf Ebay empfiehlt sich in Pale Moon die Anlage eines weiteren, neuen Profils frei von Erweiterungen.

Brave Browser
The Web-Browser Brave wants to protect user against tracking through ads too. For the blinding out of the advertisement, Brave uses filter lists like those used by Adblock Plus for all browser. Beyond this Brave offers altenative advertising space marketed by the ad service of the manufacturer of the browser. This ad keeps user data untrackable and he can decide by himself, if he wants to see the ads. If he agrees to see them, he shall party in the earnings of ads. The Brave Browser does his work in Windows, Linux, Mac OS X and Android. It is also possible to download his source (OpenSource, Engine: Chrome).
Quelle: Brave | Heise Download,
Suggestive download size: 270 MB (in comparison with Pale Moon of about 40 MB)...

OKFirefox and Google
Deactivate Safebrowsing in Firefox
"browser.safebrowsing.enabled" to "false" setzen
"browser.safebrowsing.malware.enabled" to "false"

We do also recommend the anonymization with Tor (The Onion Router).

Alternatively spend by our bank correspondence see impressum or contact us: You can buy the complete rights of Gooken (over all websides and products) to become its owner for some septrillions per agreement, more details with "News&Links" from left menu!

It might be such an unbearing serious hard imagination for parents small offspings prattling their views and opinions already at school and anywhere...

Stiftung Warentest, TÜV Rheinland, Öko-Test, GS - Checked out Security, AUSTest (for all, that can´t get out of order, lifetime products), ISO-certified company, ISO, DIN, DLG gold, ..., Tagesschau, Spiegel, Stern, ..., OpenSource / LSB-compliance, patent right:

So where the hell is all advertisement (also upon the costs of tax payers) good for, as one can´t imagine better adverstisement?

Tor, The Anonymizing Network - Äh, ... Looking out for GOOD Tor Nodes (entry-, middle- and exit-nodes / relais) now ..., text 2019 by Gooken

How Bill Gates hijacked a failing pharma system and smashed it: A tale of incompetence, deceit, greed, and an unmitigated thirst for power, T.H.G.,, 03.03.2023
All began with strategic incompetence.

British journalist shows CIA directly parted in the foundation of Google,, 03.03.2023
"Google fundamentally started as a CIA-Projekt", so the journalist and author of "Propaganda in the information century", Alan MacLeod, who has warned ago, that the relations to the tech-gigants of the secret agencies cause serious hard problems for the freedom of information and opinion.

"We have warned you! Reading further on at your own risk."
"Google knows everything? Yes, and much more!"

"Data security" - This is, what Google, Facebook and Microsoft really know about you
, Epoch Times, 05.18.2019
Schnell etwas googlen, dann hier und da etwas liken und anschließend mit Cortana etwas im Internet bestellen: Alltag für viele Menschen, doch mit jeder Aktion geben wir bereitwillig unsere Daten preis. Wie viel das Internet über jeden einzelnen von uns weiß, ist erschreckend.
Google weiß alles? Ja, und noch viel mehr! Und manchmal weiß Google sogar Dinge, die wir selbst nicht wissen, bestes Beispiel: Was Google tatsächlich über uns weiß. Dieter Bohn, Chefredakteur von "The Verge", formulierte es sehr elegant:
Unsere fortschrittlichen KI-Algorithmen können vorhersagen, welches Auto Sie mieten möchten, und dann das Webformular für Sie ausfüllen. Es weiß, was Sie wollen und tut es einfach."
Mark Vang vom World Community Computing Grid, einem IBM-Projekt, bei dem Menschen der Forschung ihre PCs und Rechenleistung zur Verfügung stellen, ergänzte:
Alle diese Daten, die wir gesammelt haben und weiterhin sammeln, bleiben direkt auf unseren Servern, wo wir sie an jeden verkaufen können … Aber zögern Sie nicht, Ihr Konto jederzeit zu ‚löschen‘."
Wenn Sie einen kostenlosen Service nutzen, sind Sie das Produkt
Doch Google ist nicht der einzige Internet-Riese, der es auf unsere Daten abgesehen hat. Microsoft und Facebook, autonome Fahrzeuge und Smart Homes sammeln ebenso Daten in beträchtlichem Umfang. Wieso? Weil wir, zumindest im Fall Facebook, ihnen bereitwillig alles erzählen, was sie gar nicht wissen wollen - und weil es Geld bringt.
Sie wollen auch wissen, was das Internet über Sie weiß? Die Antwort ist erschreckend.
Wir haben Sie gewarnt! Weiterlesen auf eigene Gefahr.
Dylan Curran, Datenschutzberater für und ehemaliger Berater der Amerikanischen Bürgerrechtsunion ACLU, hat die Daten, die die großen Firmen über ihn gesammelt haben, genauer untersucht. Dies sind seine Ergebnisse:
Google speichert alle Orte, an denen Sie in den letzten Wochen, Monaten und Jahren waren, wann Sie dort waren und wie viel Zeit Sie benötigt haben, um von einem Ort zum Nächsten zu kommen.
Auch wenn Sie die Geolokalisierung deaktiviert haben, speichert Google die Ortsdaten, die aus anderen Quellen stammen. Dazu zählen unter anderem Information, welches W-LAN-Netz sie nutzen oder Suchanfragen auf Google Maps.
Unter können Sie Ihr eigenes Bewegungsprofil abrufen.
Google weiß alles, was sie je gesucht - und gelöscht - haben
Neben Ihrem Bewegungsprofil erstellt Google ein geräteübergreifendes persönliches Suchprofil aus all Ihren Suchanfragen. Das bedeutet, selbst wenn Sie Ihren Suchverlauf auf einem Gerät löschen, sind die Daten noch immer vorhanden.
Unter können Sie Ihr Aktivitätsprotokoll abrufen und -einstellungen ändern.
Google speichert nicht nur Daten, sondern kombiniert diese auch auf verschiedene Art und Weise. Sie haben nie nach "Wie nehme ich 10 kg in 2 Wochen ab" gesucht? Brauchen Sie auch nicht. Google genügt es zu wissen, dass Sie weiblich, Anfang dreißig sind und nach Bioläden in Ihrer Umgebung gesucht haben.
Die Kombination von Ortsdaten, Geschlecht, Alter, Hobbys (Suchanfragen), Karriere, Interessen, Beziehungsstatus und ungefähres Gewicht sowie Einkommen führt zu einem einzigartigen Marketingprofil, auf dessen Grundlage Sie Werbung erhalten.
Unter können Sie Ihr Werbeprofil einsehen.
Sie nutzen einen Ad-Blocker? Google weiß es. Sie übersetzten oft Texte? Google weiß es. Sie nutzen eine Doodle-Liste, um ein internationales Geschäftsmeeting zu planen. Google weiß es, denn es speichert sämtliche Daten über Apps und Erweiterungen die Sie nutzen.
Diese Informationen umfassen, welche Apps Sie nutzen, wann und wo Sie sie benutzen, wie oft, wie lange und mit wem Sie damit kommunizieren, einschließlich mit wem sie auf Facebook chatten, wo diese Person lebt und wann Sie schlafen gehen.
Unter können Sie die Apps mit Zugriff auf Ihr Konto abrufen.
Google kennt alle YouTube Videos, die Sie je angeschaut haben
Google speichert alle Videos, die Sie je auf YouTube gesucht und angeschaut haben - auch wenn Sie es nach Sekunden geschlossen haben.
Dementsprechend weiß Google, ob Sie in Kürze Eltern werden, welche politische Einstellung Sie haben, welcher Religion Sie angehören, ob sie depressiv oder sogar selbstmordgefährdet sind.
Drei Millionen Word-Dokumente Daten
Das Gute an Google ist, Sie können all diese Daten anfordern und einsehen. Dylan Curran hat genau das getan und erhielt eine Archive-Datei mit 5,5 GB. Das entspricht etwa drei Millionen Seiten Fließtext.
Wenn Sie neugierig sind: Unter dem Motto "Ihr Konto, Ihre Daten" kann man unter "eine Kopie der Inhalte aus Ihrem Google-Konto exportieren, wenn Sie sie mit einem Dienst eines anderen Anbieters sichern oder nutzen möchten" so Google.
Diese Daten umfassen alle zuvor genannten Informationen, hinzu kommen noch Lesezeichen, E-Mails, Kontakte, Google Drive Dateien, Fotos, die mit Ihrem Handy aufgenommen wurden, die Geschäfte, bei denen Sie etwas gekauft haben und die Produkte, die Sie über Google gekauft haben.
Außerdem Ihren Kalender, Hangout-Konversationen, Musik, Bücher, Gruppen, Webseiten, die sie erstellt haben, Telefone, die sie besessen haben, geteilte Seiten, wie viele Schritte Sie pro Tag gemacht haben - eine nahezu endlose Liste.
Wie Google an Ihre Daten kommt
Auch wenn Sie diese Antwort vermutlich nicht gern hören: Sie geben Ihre Daten freiwillig. Das Google-Archiv der gesammelten Daten zeigt Ihnen, wie.
1. Suchverlauf
Der Suchverlauf von Dylan Curran umfasste mehr als 90.000 Einträge und zeigt unter anderem, welche Bilder er heruntergeladen und welche Webseiten er besucht hat. Natürlich bietet der Suchverlauf auch alle Suchanfragen zu Webseiten für das illegale Herunterladen von Programmen, Filmen und Musik, sodass diese Daten bei einer Gerichtsverhandlung durchaus gegen Sie verwendet und einen großen Schaden anrichten können.
2. Kalender ...
3. Google Drive ...
4. Google Fit ...
5. Fotos
Sollten Sie aus Versehen all Ihre Fotos gelöscht haben, keine Sorge, Google hat sie noch alle - einschließlich der Metadaten, wann, wo und mit welchem Gerät Sie die Fotos (und Videos) aufgenommen haben. Selbstverständlich gut geordnet nach Jahr und Datum.
6. E-Mails
Falls man Google-Mail oder Gmail nutzt, hat Google auch alle E-Mails, die Sie je gesendet oder bekommen haben. Das gleiche trifft auf alle E-Mails zu, die Sie gelöscht haben und auch die, die Sie nie erhalten haben (weil sie als Spam kategorisiert worden sind).
7. Aktivitätenprotokoll
Das Aktivitätenprotokoll umfasst wiederum Tausende Dateien und könnte Ihnen vermutlich auf Tag und Sekunde genau sagen, wie Sie sich gefühlt haben. Aufgrund der Fülle dieser Daten konnte Dylan Curran nur eine kurze Auswahl vorstellen:
Google speichert alle Werbeanzeigen, die Sie jemals gesehen oder angeklickt haben, jede App, die sie geöffnet, installiert oder gesucht haben und alle Webseiten, die sie je besucht haben.
Jedes Bild, das Sie gesucht oder gespeichert haben, jeden Ort, den Sie gesucht oder angeklickt haben, jede Nachricht und jeden Zeitungsartikel, jedes Video, das Sie angeklickt haben und jede einzelne Suchanfrage die Sie seit Ihrer ersten Google-Suche gemacht haben - egal ob Sie ein Google-Konto haben oder nicht!
Datensicherheit bei Facebook
Auch Facebook bietet die Option, seine privaten Daten herunterzuladen. Für Dylan Curran umfasste diese Datei "nur" 600 MB oder etwa 400.000 Seiten Text.
Darin befanden sich alle Nachrichten, die er je gesendet oder empfangen hat, alle Kontakte seines Telefons, und alle Sprachnachrichten.
Zusätzlich speichert Facebook all Ihre (möglichen) Interessen, basierend auf den Beiträgen, die sie geliket oder verborgen haben und - für den Datenschutzbeauftragten eher sinnlos - alle Sticker, die Sie je gesendet oder bekommen haben.
Darüber hinaus speichert Facebook - ähnlich wie Google - alle Daten Ihre Aktivitäten, wann Sie sich einloggen. Dazu gehört das von-wo und welches Gerät gerade genutzt wurde.
Außerdem speichert das Unternehmen ebenfalls Daten aus allen jemals mit Facebook verbunden Apps, sodass Facebook Ihre politische Einstellung und Interessen kennt. Facebook weiß vielleicht auch, dass Sie Single waren (denn Sie haben Tinder installiert/deinstalliert) und ab November ein neues Smartphone hatten.
Datensicherheit wird bei Windows groß geschrieben
Im Prinzip ja, denn wer Windows 10 nutzt, hat unzählige Möglichkeiten seine Privatsphäre "zu schützen". In der Tat sind es so viele, dass es unübersichtlich wird. Die wenigsten Menschen nehmen sich tatsächlich die Zeit, alle 16 (!) Menüpunkte und ihre jeweiligen Optionen und weiterführenden Einstellungen durchzulesen und individuell zu entscheiden. Kategorisch alle Schalter zu deaktivieren bringt weder den optimalen Schutz, noch das optimale Nutzungserlebnis.
Ganz ähnlich funktioniert auch das neue Sicherheitskonzept von Google, unter dem Motto: "Sie haben die Wahl" - nur dass Ihnen niemand erklärt, was Sie dort eigentlich auswählen können.
Fremdsteuerung von Webcam und Mikrofon
Die Daten, die Windows standardmäßig speichert, umfassen erneut die Standortdaten, welche Programme Sie installiert haben und wann und wofür Sie sie nutzen. Hinzu kommen: Kontakte, E-Mails, Kalender, Anrufliste, Kurznachrichten, Lieblingsrezepte, Spiele, Downloads, Fotos, Videos, Musik, on- und offline-Suchverlauf und sogar welchen Radiosender Sie hören. Außerdem hat Windows ständigen Zugriff auf Ihre Kameras und Mikrofone.
Dies stellt jedoch gleichzeitig eines der größten Paradoxen der modernen Gesellschaft dar. Wir würden nie im Leben der Regierung erlauben, Kameras oder Mikrofone in unseren Häusern oder Bewegungstracker in unserer Kleidung zu platzieren, stattdessen tun wir es freiwillig, denn - seien wir ehrlich - wir wollen unbedingt dieses süße Katzenvideo sehen. (ts)
Lesen Sie auch
Die dunkle Macht der neuen Medien: Wie soziale Medien unser Selbstwertgefühl beeinflussen,
Apple und Co. sollen vollen Zugriff auf unsere Gesundheitsdaten bekommen,

... Speed and security-level record already upon Intel ® Celeron ! Welcome to the online excursion of Gooken !
Mouseclick-fast, stable lifetime computer system with a kernel like the up to this time 195 times collective-patched 5.4 without any hacker and trojans, free from Viren and worms, no spyware and no adware, owner-, access-rights, integrity-rights and ACL, no cookies (session-cookies, if required), free from maintenance, advertisement, linfw3 upon iptables, ebtables, eventually arptables and always blocked net traffic for superuser root, port scan detector (psad), X/X11-Server with ---no-tcp, locking of all accounts except accounts for the superuser root and the user, locked login shells upon all accounts including root except surfuser (/sbin/nologin and/or firejail), Full System Encryption (FSE), secure end-to-ende-connections (TLS 1.3), few root-processes (X and kernel quit only), password-protection upon all passwords even if known (except the password for the LUKS-login for the encryption of the root-partition), noexec-home-partitions, updates up from 2010 to 2024 and longer, ..., without tracking scripts, scriptfilter, third-party-script- und image-Blocker and further on, sandbox firejail, Browser (within sandbox firejail): Konqueror and Pale Moon, Pale Moon security-extensions, anonymizing (Onion Router Tor), unrestricted internet, locale DNS-cache (local -> pdnsd > Tor-DNS), anonymized DNS-request, E-Mail-Client kmail with spam-filter (bogofilter, spamassassin, ...), ..., all upon mouseclick-fast, powersaving lifetime-hardware (quit for free), crash free and virus free (and at last exchangable) BIOS with own views and deep access rights, ..., all OpenSource.

Gooken is an online excursion to achieve real security with your computer. Just follow this excursion step by step (green hook by hook) !

But at first have a look upon some introducing links from NewsäLinks :

Technocrates lead the word into a dark age,, 07.16.2021
Population control and New World Order (NWO)
The promise of the technocrates for a brandew and better world are hollow as an empty balloon. Their politics forces into a scientific dictatorship and a new erea of neo-feudalism crushing the freedom. The time to avoid technocracy is now!

Our speak (Gooken):

Do not exchange real freedom into wrong security
,, 06.02.2022
From Ron Paul. He is an US-american doctor and politicanr. He is member in the Libertarian Party and was during 1976 and 2013 (with pauses) a Republican representative in congress of the United States. Paul was during the US-president election 1988 candidate of the Libertarian Party and ran party-intern for the republican candidature of the US-president elections in 2008 and 2012.

OKLobby-revolving.-door: Google employs 65 government representatives from EU-staates,, 06.06.2016
Das Google Transparency Project hat herausgefunden, dass in den letzten zehn Jahren 80 Personen sowohl bei EU-Regierungen wie auch bei Google angestellt waren. Google stellte im untersuchten Zeitraum 65 Regierungsvertreter ein, während 15 Google-Mitarbeiter in Regierungsdienste wechselten. Fünf Personen wechselten gar von der Regierung zu Google und dann zurück in Regierungsdienste,

Buyed Judges?
George Soros und Bill Gates sind zwei der größten Geldgeber des Europarats
,, 13.04.2021

Future of online advertisement: The new clothes of Ad-giants,, 02.25.2022
Die Ära der Tracking-Cookies neigt sich dem Ende und ein Kampf um die Vorherrschaft im digitalen Werbesystem ist entbrannt. Eine erstaunliche Partnerschaft zwischen Mozilla und Meta ist nur ein kleines Kapitel in dieser größeren Geschichte, analysiert unser Gastautor. Die nächste Phase der Online-Werbung könnte noch schlimmer werden als der Status Quo.
Werbetafeln leuchten im Dunkeln
Werbung verändert mal wieder ihre Form, doch es ist ungewiss, ob der Wandel Verbesserung bringt. - Gemeinfrei-ähnlich freigegeben durch Joe Yates
Michael Veale ist außerordentlicher Professor für Digital Rights und Regulierung am University College London in der Fakultät für Rechtswissenschaften. Er arbeitet an der Schnittstelle von Recht, neuen Technologien, Politik und Gesellschaft, mit einem aktuellen Schwerpunkt auf maschinellem Lernen und Technologien zur Verbesserung der Privatsphäre. Dieser Artikel erschien zunächst auf englisch.
Mozilla sorgte Anfang des Monats für einiges Erstaunen, als es eine Partnerschaft mit Meta ankündigte. Ausgerechnet mit dem Facebook-Mutterkonzern will die gemeinnützige Stiftung im Bereich neuer Werbetechnologien zusammenarbeiten. Dabei ist es noch nicht lange her, dass die Firefox-Entwickler:innen eine "Facebook-Container"-Funktion einführten, um die Cookies dieses einen spezifischen Konzerns unter Quarantäne zu stellen.
Es ist kein Geheimnis, dass der Firefox-Browser angesichts seines schwindenden Marktanteils eine Finanzspritze benötigt. Wahrscheinlich ist er auf der Suche nach mächtigen Freunden. Die Reputation von Mozilla ist jedoch nur der Nebenschauplatz einer viel größeren Geschichte: einer Geschichte über die Zukunft dessen, was wir unter Online-Privatsphäre verstehen. Denn das milliardenschwere System der Online-Werbung - im englischen spricht man von der Ad-Tech-Branche, kurz für Advertising Technologies - befindet sich in einem epochalen Wandel.
Apple und Google übernehmen die Kontrolle
Der Vorschlag von Mozilla und Meta betrifft die Ad Attribution, also die Zuordnung von Anzeigen.

Secret agencies/NSA/Surveillance/BigData
Edward Snowden: "If we weaken encryption, people will die"
,, 24.10.2021

OKGoogle and Microsoft are the biggest data collectors
Data are spreaded out into the whole world
Online-advertisement: Companies collect data each minute
,, 05.17.2022
Technologieunternehmen machen ihr Geld mit Online-Werbung. Ein neuer Bericht zeigt, in welchem Ausmaß sie dafür Daten abgreifen - und wo diese Daten landen.
Ein neuer Bericht zeigt, wie persönliche Daten dank Google und Co. bei Firmen in der ganzen Welt landen.
Eine Person, die in Deutschland im Internet unterwegs ist, wird im Schnitt jede Minute vermessen. Was schaut sie an? Wo geht sie hin? Auf das so geschnürte Datenpaket können Tausende Firmen zugreifen. Das geht aus einem neuen Bericht des Irish Council for Civil Liberties (ICCL) hervor. Firmen auf der ganzen Welt haben demnach Zugang zu teils sehr privaten Daten wie sexuellen Vorlieben oder politischer Haltung. Die Bürgerrechtsorganisation prangert die Aktivitäten der Tech-Giganten als "größtes Datenleck" an.
Anhand interner Dokumente aus der Werbeindustrie beleuchtet der Bericht das so genannte Real-Time-Bidding, ein Verfahren, mit dem in Echtzeit Anzeigenplätze auf Webseiten oder Apps versteigert werden. Dafür wird erhoben, welche Inhalte sich Nutzer:innen ansehen oder wo sie sich befinden, um ihnen zielgenau passende Werbeanzeigen zeigen zu können. Die Zahlen des Berichts beziehen sich auf Europa und die Vereinigten Staaten. Pro Tag würden in Europa demnach 197 Milliarden mal Daten abgegriffen.
"Google und Microsoft größte Datensammler"
Der größte Akteur ist dem Bericht zufolge Google. Doch auch Microsoft sei in die obere Liga aufgestiegen, seit es Ende 2021 die Real-Time-Bidding Firma Xandr kaufte. Zwei weitere Unternehmen, die ebenfalls im großen Stil mit Daten handeln - Facebook und Amazon - sind in den ausgewerteten Dokumenten nicht berücksichtigt, so der ICCL. Laut den recherchierten Zahlen ist Google in Deutschland und Europa der größte Händler. Pro Jahr beläuft sich der Wert des Real-Time-Bidding dem Bericht zufolge auf 117 Milliarden Dollar in den USA und Europa. In der EU sollen es 2019 23 Milliarden Euro gewesen sein. Aus den Dokumenten geht außerdem hervor, dass der Umfang des Datensammeln in Europa deutlich geringer ist als in den Vereinigten Staaten.
Technisch ist das Real-Time-Bidding leicht nachvollziehbar: Sobald man eine entsprechende Seiten öffnet, sammelt ein Dienst im Hintergrund Gebote für die Anzeigenplätze. Die Bietenden analysieren sämtliche Daten der Person, die die Anzeige sehen soll und entscheiden, ob und wie hoch geboten wird. Der höchstbietende Dienst bekommt anschließend den Anzeigenplatz. All das läuft in Echtzeit, also innerhalb weniger Millisekunden ab. Zu den Daten, die alle Dienste während des Prozesses abgreifen können, zählen nicht nur Standort oder Alter. Sie beinhalten oft auch persönliche Vorlieben oder religiöse Orientierung.
Daten enden auf der ganzen Welt
Die Daten, die gesammelt werden, sind nicht nur für die Bieterdienste zugänglich. Laut dem Bericht des ICCL teilt in Europa allein Google die gesammelten Daten mit 1.058 Unternehmen. Darunter seien auch Firmen aus China und Russland. Ein weiteres Dokument aus der Tracking-Industrie zeigt, welche privaten Informationen gesammelt werden, darunter zum Beispiel, ob eine Person Suchtprobleme oder Geschlechtskrankheiten hat. Welche Konsequenzen das haben kann, zeigte erst kürzlich ein Fall in den USA, bei dem ein katholischer Newsletter-Dienst mithilfe von kommerziell zugänglichen Daten aus der Dating-App Grindr einen Priester als homosexuell outete.

OKTesters in year 2016: Around 5500 connection buildup attempts of MS Windows 10 into the internet
Several hundrets of contacts to internet server within a few hours
Windows-Datenschutz auf BSI-Level - so gehts
,, 04.17.2019
Seit der Einführung von Windows 10 wird das Betriebssystem für seinen mangelnden Datenschutz kritisiert: Es werden zu viele Daten ins Internet gesendet. Nun hat das BSI nachgemessen und aufgedeckt, wie Sie den Datenversand komplett abstellen können.
Kritik am Datenschutz von Windows 10 hagelt es von Sicherheitsexperten, Bloggern und Firmen. Ein PC mit Windows 10, der aktuell keine Aufgabe zu erledigen hat, nimmt dennoch laufend Verbindungen zu Servern im Internet auf. Die Kritik ist nicht neu. Schon Windows XP wurde für seine sogenannte "Call-Home"-Funktionen kritisiert. Damals im Jahr 2001 waren einige Programme, etwa der Windows Media Player, für den unangemeldeten Kontakt ins Internet verantwortlich.
Was sich mit Windows 10 im Jahr 2015 geändert hat, war die schiere Menge an Verbindungen.
Fortsetzung des Berichts und Maßnahmen: in Kürze!

OKMacOS and Windows Apps are able to make films secretly,, 07.13.2022
Computer operating systems do not protect enough against spying through Apps. An experiment of BR-Data journalists and PULS Reportage is showing this. This is a security risk especially in times for HomeOffice. Report from Sebastian Bayerl, Maria Christoph, Rebecca Ciesielski, Pia Dangelmayer, Elisa Harlan, Robert Schöffel, BR
Die Corona-Pandemie hat die Kommunikation in der Arbeitswelt grundlegend verändert: Ob morgendliche Videokonferenz oder Meeting am Nachmittag, Videocalls mit aktivierter Kamera sind für viele Arbeitnehmerinnen und Arbeitnehmer Normalität. Dabei birgt das Arbeiten von zuhause in Bezug viele Risiken für die Datensicherheit.

OKCrass lack in security explored: How virus scanner decompose themselves, CHIP, 04.28.2020
Virenscanner sollen Windows eigentlich vor Gefahren schützen. Doch Forschern ist es gelungen, den Schutz zur Gefahr zu machen. Über symbolische Links zwischen Verzeichnissen konnten nicht nur 28 namhafte Virenscanner ausgetrickst werden, die Schutzsoftware ließ sich auch so manipulieren, dass sie sich selbst und Windows unbrauchbar machen konnte.
[...}] Virenscanner bergen auch Risiken. Der Grund ist einfach, die Tools arbeiten mit den umfassendsten Rechten auf dem System, die es gibt. Gelingt es Angreifern eine Schwachstelle zu finden, steht Windows mit runtergelassenen Hosen da.
Genau das ist Sicherheitsforschern gelungen.
[...] Das Tool der Wahl für den Angriff sind verknüpfte Verzeichnisse, wie man sie unter Windows mit dem Befehl "mklink /j" erstellen kann. Das kann jeder Nutzer unter Windows erledigen, Adminrechte braucht es dafür nicht.
Der Angriff nutzt dabei die grundlegende Arbeitsweise eines Virenscanners aus

How bosses survey their employees
,, 09.21.2021
Digitale Überwachung ist in vielen Arbeitsplätzen inzwischen Realität geworden. Eine umfassende Studie untersucht nun gängige Technologien und Systeme, die sich oft in einem rechtlichen Graubereich bewegen.
Viele Angestellte werden in ihrer Arbeit überwacht. Eine Studie untersucht nun gängige Technologien und Systeme. (Symbolbild) - Alle Rechte vorbehalten IMAGO / Panthermedia
Keine Frage, die Zeiterfassung am Arbeitsplatz ist digital viel praktischer als mit analoger Stechkarte. Doch beim Aufschreiben von Zeiten bleibt es oft nicht: Längst können solche Systeme etwa Daten über Arbeitstätigkeiten erfassen und festhalten, mit welchen Projekten oder Kund:innen sich Mitarbeitende wie lange beschäftigt haben. Später lassen sich diese Daten für Abrechnungen nutzen oder mit anderen Datenquellen vernetzen. Firmen wollen damit betriebliche Abläufe optimieren, während Arbeitnehmer:innen zunehmend gläsern werden.
"Unternehmen können digitale Überwachung und Kontrolle nutzen, um Arbeit zu beschleunigen und zu verdichten, Freiräume einzuengen oder Beschäftigte leichter ersetzbar zu machen", sagt Wolfie Christl. In einer 150 Seiten starken Studie hat der österreichische Datenschutz-Aktivist für die NGO Cracked Labs untersucht, wie weit die digitale Überwachung am Arbeitsplatz inzwischen fortgeschritten ist. Die Studie ist Teil des Projekts "Gläserne Belegschaft" und wurde mit Hilfe österreichischen Gewerkschaften und der Arbeiterkammer Wien erstellt.

Screen recording in Windows 10: Get to know, how simple this can be done, CHIP, 01.27.2022
Möchten Sie Ihren Bildschirm unter Windows 10 abfilmen, können Sie die gleichen Screencast-Tools wie unter älteren Windows-Versionen anwenden. Wir erklären Ihnen, wie auch in der neuen Windows-Version ein Screencast gelingt. Mit der richtigen Tastenkombination geht es super einfach.

OKVisualized: With this 600 companyies Paypal shares your data,, 23.01.2018
Seit dem 1. Januar 2018 gewährt der Online-Zahlungsdienst PayPal Einblick in die Liste der Firmen, mit denen er "möglicherweise" persönliche Informationen seiner Nutzer teilt. Rebecca Ricks hat die sage und schreibe 600 Firmen visualisiert.

OKFacebook aks banks for user data,, 08.07.2018
Facebook hat laut einem Medienbericht bei mehreren großen US-Banken angefragt, um von diesen Kundendaten zu bekommen.,3451879 ä

OKIt might already be risky to get an E-mail from Gmail (and other freemailer), because of its include getting stored and distributed.
The best, one can do, is to resign from any E-mail-account. If you must have one, remove it after use. If you still have one, never tell more people about your E-mail-address than necessary.

OKGoogle knows your online purchases from online shopping via Gmail-tracking,, 20.05.2019
Google ist in der Lage, alle Online-Einkäufe der Nutzer zu tracken, auch wenn diese nicht via Google getätigt wurden.

OKGoogle tracks master card user
Bericht: Google verfolgt Nutzer offline mit Mastercard-Daten
,, 08.31.2018
Laut einem Bloomberg-Bericht kauft Google Kunden-Daten von Mastercard, um Kunden auch offline zu tracken.
Wie die News-Plattform Bloomberg berichtet, ist Google wohl einen Deal mit Mastercard eingegangen, um Offline-Einkäufe von Kreditkarten mit Nutzerkonten zu verknüpfen. Für die Daten von 70 Prozent aller Mastercard-Inhaber der USA aus dem Jahr 2017 soll Google demnach mehrere Millionen US-Dollar gezahlt haben. Darin enthalten sind Transaktionsdaten, die für Google ausreichen, um Personen eindeutig zu identifizieren.
[...] Laut den Angaben von Bloomberg sind sich aber beide Unternehmen wohl darüber bewusst, dass hier jede Menge Datenschutz-Probleme auftauchen. Der Deal wurde daher nur zögerlich eingegangen. Vier Jahre wurde zwischen den zwei Unternehmen verhandelt, bevor der Deal abgeschlossen wurde. Mastercard-Inhaber wurden darüber hinaus nicht über das Tracking informiert. Zwar gäbe es in Googles Web-Console eine Möglichkeit das Tracking zu untersagen, jedoch ist dies für den Großteil der Nutzer nicht ersichtlich.
[...] Der Bloomberg-Bericht bezieht sich nur auf die USA. Ob Google in weiteren Ländern ähnlich vorgeht, geht aus dem Artikel nicht hervor. In den Vereinigten Staaten machen Umsätze mit Mastercard rund 25 Prozent des gesamten Umsatzes aus.,3452190

Scoring and more

You must get active: The financial takeover of your bank account - BlackRock, Envestnet/Yodlee und die Federal Reserve
,, 06.16.2021
Terror/Terrormanagement Have you ever heart of Yodlee? Ich auch nicht, bis ich entdeckte, dass das Unternehmen meine Daten in meinem Bankkonto sammelt und sie wahrscheinlich an Dritte verkauft. Dies wurde schnell zu einer persönlichen Recherche, bis ich erschütternde Zusammenhänge entdeckte, von denen ich erkannte, dass die Öffentlichkeit darauf aufmerksam gemacht werden muss. Bevor Sie beschließen, dass dies nichts mit Ihnen zu tun hätte, bitte ich Sie dringend, diesen Artikel in seiner Gesamtheit zu lesen und die zeitlichen Abläufe genau zu beachten, denn dies betrifft SIE ALLE, und es wird in mehreren Ländern eingeführt. Ich empfehle Ihnen, sich bei Ihrer Bank zu erkundigen und herauszufinden, welche Drittparteien in Ihre Konten verwickelt sind, und die Möglichkeit in Betracht zu ziehen, Ihre Gelder zu einer kleineren lokalen Bank zu transferieren. Hier geht es nicht nur um Spionage und Datenaggregation, sondern um einen strukturellen Aufbau, der uns in das System der Sozial- und Klimabilanz und noch darüber hinaus bringen soll. Und Biden schreibt die Anordnungen, um den Rahmen zu schaffen, den BlackRock ausgearbeitet hat.
Untersuchen Sie Ihre Bank, Finanzinstitute und Ihre Konten
Kurze Zusammenfassung
Mehr dazu: in Kürze u.a. auf News&Links#Bankenskandal

Privacy labels failMany ‚tracking-free‘ apps in iOS secretly track users
,, 01.20.2022
Apple forces developers give clear privacy information to app users. But according to new research, four out of five tested apps that claim to not collect data from users actually do. It reads like a fairly simple statement: "Data not collected". Apple introduced such clear privacy labels for apps on its mobile operating system iOS over a year ago. They are supposed to show whether and which data the app passes on to its operators or third parties.
A sizeable portion of apps claim not to collect any data from users. But many of these labels are clearly false, as a technical analysis shared exclusively with has shown. Computer scientist Konrad Kollnig from Oxford University examined 1,682 randomly selected apps from Apple´s App Store. 373 of the apps tested (22.2 percent) claim not to collect personal data. However, four out of five, 299 apps in total, contacted known tracking domains immediately after the first app launch and without gaining user consent. (Data to be published soon, more details on the method here.)
One prominent app from Kollnig´s dataset is "RT News" by the Russian state broadcaster. The app claims not to collect any data. To verify the accuracy of that claim, Kollnig loaded it onto a test device and navigated to a few random articles. In total, the RT app sent data to 19 domains. Not to Russia, but to tracking services of the tech giants Facebook and Google, the market research company ComScore and the advertising company Taboola.
Such data collection should be specified in the data protection label, says Kollnig, because it could contain sensitive information, including what news users have viewed in the app. "Unfortunately, it´s often unclear what data is really being collected and what happens to that data." He says that particular caution should be exercised with apps that have access to the GPS location. As research by the New York Times has shown, such location data often ends up in the hands of data companies that offer it for sale - a clear case of abuse.
Kollnig, a PhD student at Oxford University´s Department of Computer Science, and his colleagues have been studying just how much tracking is happening through apps. Most recently, they published an analysis of nearly two million Android apps in the Internet Policy Review. They found that little has changed since the EU´s General Data Protection Regulation took effect in May 2018. According to their findings, around 90 percent of the apps in Google´s Play Store may share tracking data with third parties.
For his analysis of iOS apps, Kollnig randomly selected apps that have been in Apple´s app store since January 2020 and have subsequently added a privacy label. He loaded the apps automatically on an iPhone 8 running on iOS 15.2, where each app was opened. No other interaction took place; crucially, no consent to tracking was given. Kollnig examined the data flowing from the phone through a so-called man-in-the-middle proxy. He also installed some apps manually for extra testing.
Privacy labels get bad reviews
In principle, Apple sets higher standards than other companies when it comes to data protection and privacy. The tech giant has used its privacy bona fides for marketing purposes, including speeches by CEO Tim Cook at major European data protection conferences.
In December 2020, Apple introduced privacy labels "to help you understand how apps handle your data". They faced criticism from the start. In January 2021, Washington Post columnist Geoffrey A. Fowler found more than a dozen false claims in privacy labels, including in a video app for children and a popular game. Fowler noted that the small print of the labels states that Apple does not always check the privacy information, but instead relies on occasional audits.
A year later, the situation is essentially the same. Kollnig found numerous popular apps in his analysis that collect more data than claimed. For example, the puzzle app of a large gaming company sends an ID number of users to numerous tracking services, contrary to its label. Tracking even happens within apps by government agencies. Kollnig found that the app of the Met Office, the UK´s national weather service, sends sensitive information such as GPS data to Google and Amazon and also - without any indication in the label - collects a user ID.
Apple declined to comment directly on Kollnig´s analysis. Contacted by, the tech giant only said that the information in the labels came from the developers, and that Apple focusses ongoing reviews on the most popular apps.
According to Kollnig, there is a practical reason why so much data from popular apps ends up with third parties. Tracking services are usually integrated into apps via so-called libraries. Libraries are subroutines that perform certain tasks in an app. Their use makes work easier for programmers, but means less control over the finished app. Many libraries come from companies like Google, and the tracking code is hidden in them. "App operators often have no way of verifying the program code of these libraries, because the tracking companies usually do not make their code public," says Kollnig.
Tracking offers app providers a way to make money through personalized advertising. "The need of app operators to earn money is understandable," says Kollnig. But the business comes at the expense of the users, who hardly know anything about the collected data. According to Kollnig, Big Tech companies deliberately make it difficult for app operators to use privacy-friendly alternatives. His thinks that in order for this to change, EU countries must start enforcing their privacy laws more vigorously.
Correction on Friday, January 21, 2022: The story initially misstated that one out of five apps, 299 in total, contacted known tracking domains immediately after the first app launch. We corrected that figure to four out of five. .

How the data industry prevented the prohibition of survey-advertisement,, 02.20.2022
Das EU-Parlament will verhaltensbasierte Werbung und invasives Tracking einschränken. Eine Initiative zum Verbot der umstrittenen Überwachungswerbung ist jedoch gescheitert. Ein Bericht des Corporate Europe Observatory zeigt, dass das auch am mächtigen Lobbyismus von Google, Facebook und Co. liegt.

Up to one billion internet connections daily
Foreign secret agencies
How the BND surveys the internet
,, 05.15.2020
Nach Informationen von BR und "Spiegel" kann der BND offenbar auf mehr als eine Billion Internetverbindungen täglich zugreifen. Nächste Woche wird in Karlsruhe entschieden, ob die Überwachung rechtens ist.
[...] Das hängt auch mit der Daten-Auswertung zusammen, die der BND betreibt. Die Daten werden ihm unbearbeitet von deutschen Internet-Austauschknoten übergeben, auf Anordnung des Kanzleramtes hin. 23 solcher Knoten gibt es hierzulande, mit dem DE-CIX in Frankfurt am Main steht dem BND auch der Knoten mit dem weltweit höchsten Datendurchsatz zur Verfügung.
Techniker des DE-CIX stellten im Oktober 2019 auf Nachfrage des Verfassungsgerichtes Berechnungen an, um die Größe der Datenmenge abzuschätzen. Derzeit werde "ein durchschnittliches Volumen von rund 47,5 Billionen IP-Verkehrsverbindungen täglich vermittelt". Der BND sei technisch in der Lage, jeden Tag auf 1,2 Billionen Internet-Verbindungen aus dieser Gesamtmenge zuzugreifen.
Bevor der BND die Daten auswertet, werden sie in einem ersten Schritt anhand von IP-Adressen gefiltert. In einem der Dokumente führt die Bundesregierung aus, dass IP-Adressen "in Bezug auf eine Verortung auf Länderebene zu 96 bis 98 Prozent genau" seien. Doch nimmt man die mehr als eine Billion Verbindungen, die der BND täglich ausleiten kann, würden 24 Milliarden Rohdaten nicht umgehend gelöscht, wie vorgesehen, sondern einer weiteren Filterstufe zugeführt.
Die Internet-Verbindungen werden in einem zweiten Schritt automatisiert nach Meta- und Inhaltsdaten untersucht, also konkret geführten Gesprächen. Metadaten zeigen zum Beispiel, wer mit wem telefoniert, wann und wie lang. Mehr als 100.000 Suchbegriffe werden verwendet: von Telefonnummern und E-Mail-Adressen bis hin zu Namen chemischer Stoffe, mit denen sich Massenvernichtungswaffen herstellen lassen.
[...] Snowden enthüllte globale Überwachung
In welchem Ausmaß der BND über Jahre Telekommunikationsdaten abgegriffen und an den US-Geheimdienst NSA weitergeleitet hat, wurde durch die Enthüllungen des Whistleblowers Edward Snowden im Juni 2013 und im daraufhin vom Deutschen Bundestag eingesetzten NSA-Untersuchungsausschusses deutlich. Das Gremium beschäftigte sich unter anderem mit dem Projekt "Eikonal". Dabei erfasste der BND mindestens von 2004 bis 2008 über einen Kabelknoten der Deutschen Telekom in Frankfurt am Main Daten und leitete sie an den US-Geheimdienst NSA weiter - offenbar ohne wirkliche rechtliche Grundlage.
Nach wie vor ist umstritten, ob sich darunter auch Daten deutscher Staatsbürger befunden haben. Ein Mitarbeiter der beim BND zuständigen Abteilung, den der NSA-Untersuchungsausschuss mehrfach als Zeugen vernommen hatte, wies entsprechende Medienberichte damals zurück: "Meines Wissens wurde aus diesem Ansatz kein Datum eines Deutschen abgeleitet." Grüne und Linke zogen am Schluss der Ausschussarbeit ein gegenteiliges Fazit: "Eikonal wuchs dem BND über den Kopf."
Unter anderem deswegen trat am 31. Dezember 2016 ein neues BND-Gesetz in Kraft. Für Armin Schuster - auch er wie von Notz Mitglied im PKGr - ist die Kontrolle des BND bereits jetzt streng: "Deutschland wirft im weltweiten Datenmeer nicht ein Schleppnetz aus, sondern arbeitet mit der Harpune und das wird intensiv kontrolliert."
In Berlin rechnet man aber damit, dass in Karlsruhe der Beschwerde zumindest in Teilen stattgeben wird.

Dossier: eavesdropping by the state,, 2021
Von angezapften Unterseekabeln über die neueste Ausweitung von Staatstrojanern bis zum Datenmissbrauch durch Polizeibeamte - wir berichten seit Jahren über staatliche Überwachungsmaßnahmen und ihren Einsatz. Damit ihr keine tiefgreifenden Änderungen verpasst und den Überblick behaltet, sammeln wir in diesem Dossier alle unsere Artikel zum Thema staatlicher Überwachung. Wir bleiben für euch dran.

OKHow all began
Five years lasting fight against End-to-End-encryption
,, 02.12.2020
Die Regierungen der EU-Mitgliedstaaten wollen ihre Polizeien und Geheimdienste befähigen, Ende-zu-Ende-verschlüsselte Kommunikation zu umgehen oder mit technischen Werkzeugen auszuhebeln. Ein Rückblick.

36 Millionen Euro: ZITiS builds supercomputer for decryption
,, 10.16.2018

OKMS Windows
One, two, three, four state trojans
,, 21.03.2019
[...] ZITiS ist nicht die einzige deutsche Hacker-Behörde. Das Bundeskriminalamt kann aktuell drei Staatstrojaner einsetzen, ein vierter wird zur Zeit programmiert.
Fortsetzung des Berichts: in Kürze, nach dem Listing von!

New analyzes-platform: check Windows-driver against trojans,, 12.27.2021
Microsoft bietet einen neuen Online-Service an, bei dem Entwickler und Sicherheitsforscher sich verdächtig verhaltende Treiber zur Analyse hochladen können.
Oft laufen Windows-Treiber mit Kernel-Rechten. Schafft es ein Angreifer an dieser Stelle manipulierend einzugreifen, könnte er Malware tief im System verankern. Um dem vorzubeugen, stellt Microsoft ab sofort eine Analyse-Plattform für Treiber bereit.

Warning, 2022: The war of the technocracy against humand kind will be proceeded,, 04.01.2022
Am letzten Tag des Jahres 2021 gibt es keinen besseren Zeitpunkt, um über die jüngsten Erfolge der Technokratie und ihre wahrscheinliche Entwicklung im Jahre 2022 nachzudenken.
Über Weihnachten habe ich meine "Zwölf Tage der Technokratie"-Artikel vorgestellt, die ursprünglich im Dezember 2019 geschrieben wurden. Obwohl diese unten auf der Startseite von erscheinen, hatten viele Menschen sie nicht gelesen.
Die Absicht dieser Artikel war es, eine Einführung in die Technokratie zu geben, die verschiedene Themen wie Zentralbankwesen, Wissenschaft, Bildung und Politikwissenschaft umfasst. Es war eine passende Art und Weise, das Jahr 2019 abzuschließen.
Zu jedermanns Schock und Bestürzung begann die Große Panik von 2020 (mein Ausdruck) einen Monat später im Januar.

Zero by Gooken noticed "Universal Linux" errata since 2021

"Why Linux is better than Windows", leading expert Cosinus from, 2007 up to now (2021)
The quit endless Windows-failure-lists - All the problems of MS Windows users

"The internet must get away!"
Schlecky Silberstein surfs in our filterbubble

Christian Brandes aka Schlecky Silberstein would like to forbid this medium, that feeds him. In "The internt must get away" the blogger describes, how we get misused and brainwashed by algorithms, trolls and tech-companies. But isn´t he a part of it too? A recension.
Reader opinion by Gooken
Many people share this opinion, so what´s wrong with it?.

Expert about privacy: "I always ask myself, why the people do still make this through",, 06.09.2019
Marc Al-Hames knows all tricks about the advertisment industry. In an interview with the Stern he explained, why sudden confessions for data-protection of some companies can not be taken seriously and tells us about the defference between Apple and Google in the point data protection.
[...]."Facebook for example never understood privacy matters up to now."
[...] "Surveys showed the biggest amount of user not reading business conditions (AGB) and to follow the ones, who want."

Hacker organize themselves more and more professionelly,, 12.22.2021
Im Laufe des Jahres 2021 haben Cyberkriminelle ihre Untergrund-Ökosysteme immer besser organisiert, sodass im neuen Jahr mit noch professionelleren Angriffsmustern gerechnet werden muss.
Insbesondere Ransomware-Gruppen suchen laut den Sicherheitsexperten von Radware zunehmend Verbündete unter erfahrenen Auftragshackern, die sich über die Gewinne aus großen Erpressungskampagnen freuen.

You must get active! The financial takeover of your bank account- BlackRock, Envestnet/Yodlee and the Federal Reserve
,, 08.16.2021 Haben Sie schon einmal von Yodlee gehört? Ich auch nicht, bis ich entdeckte, dass das Unternehmen meine Daten in meinem Bankkonto sammelt und sie wahrscheinlich an Dritte verkauft. Dies wurde schnell zu einer persönlichen Recherche, bis ich erschütternde Zusammenhänge entdeckte, von denen ich erkannte, dass die Öffentlichkeit darauf aufmerksam gemacht werden muss. Bevor Sie beschließen, dass dies nichts mit Ihnen zu tun hätte, bitte ich Sie dringend, diesen Artikel in seiner Gesamtheit zu lesen und die zeitlichen Abläufe genau zu beachten, denn dies betrifft SIE ALLE, und es wird in mehreren Ländern eingeführt. Ich empfehle Ihnen, sich bei Ihrer Bank zu erkundigen und herauszufinden, welche Drittparteien in Ihre Konten verwickelt sind, und die Möglichkeit in Betracht zu ziehen, Ihre Gelder zu einer kleineren lokalen Bank zu transferieren. Hier geht es nicht nur um Spionage und Datenaggregation, sondern um einen strukturellen Aufbau, der uns in das System der Sozial- und Klimabilanz und noch darüber hinaus bringen soll. Und Biden schreibt die Anordnungen, um den Rahmen zu schaffen, den BlackRock ausgearbeitet hat.
Untersuchen Sie Ihre Bank, Finanzinstitute und Ihre Konten
Kurze Zusammenfassung
Um es kurz zusammenzufassen: Mir war aufgefallen, dass mein Bankkonto meine Ausgaben plötzlich in Gruppen wie Einkommen, Gesundheit &Fitness, Essen &Trinken, Reisen, Dienstleistungen für Unternehmen, Haustierbedarf usw. einteilte. Mir war sofort klar, wohin das führen würde, und ich ärgerte mich besonders über die Kategorie "Einkommen", in der Gelder falsch ausgewiesen wurden, die auf Drängen der Marionette Biden direkt an das Finanzamt weitergeleitet werden sollen. Um ein soziales Punktesystem dafür zu schaffen, wie und wo man sein Geld ausgeben kann oder Zugang zu Orten oder Dienstleistungen erhält, und damit die Regierung jeden ausgegebenen Cent ausspionieren kann, muss zunächst eine Struktur aufgebaut werden. Ich habe schnell nach dem Haftungsausschluss von Drittanbietern gesucht, um zu sehen, wer meine persönlichen Finanzdaten organisiert, und fand: "Kontoaggregationsdienste werden von Yodlee, unserem Drittanbieter, bereitgestellt. Die Daten werden von Yodlee bezogen oder manuell eingegeben". Ich ging dann zu dem Abschnitt, der es angeblich ermöglicht, die Weitergabe von Daten einzuschränken, aber die Einschränkung von Yodlee war keine Option. Ich rief meine Bank an und fragte, wann der Vertrag begann, und mir wurde gesagt, 2017. Ich fragte, was Yodlee außer dieser neuen Kategorie-Aggregation noch mit meinem Bankkonto zu tun hat, und mir wurde mitgeteilt, dass sie nichts finden konnten. Ich fragte, ob sie meine Daten verkaufen würden, und der Mann wusste es nicht. Ich bat darum, die Daten zu löschen, und mir wurde gesagt, dass sie das nicht tun können. Ich erklärte, dass ich meine Konten schließen werde, wenn sie das nicht tun können, und wollte mit einem Manager sprechen. Mir wurde gesagt, ich würde einen Anruf erhalten. Das geschah nie, und Sie können darauf wetten, dass ich meine Gelder verschoben habe.
Wie Sie in der Zeitleiste unten sehen werden, ist Yodlee einer der größten Finanzaggregatoren, der auch Ihre Daten verkauft und gegen den eine Sammelklage läuft, aber das wird diesen Zug nicht aufhalten. Das Unternehmen wurde 2015 von Envestnet übernommen. Zum Vergleich: Envestnet arbeitet mit 17 der 20 größten Banken sowie mit 5.200 weiteren Banken, Finanzinstituten und Unternehmen zusammen. Sie betreuen 4,8 Billionen US-Dollar an Vermögenswerten, verwalten 229 Milliarden US-Dollar an Vermögenswerten und betreiben mehr als 2 Millionen Finanzpläne pro Quartal. Envestnet betreut täglich 500 Millionen aggregierte Konten.
Drei Jahre später, im Jahr 2018, erwarb BlackRock, der weltweit größte Vermögensverwalter, eine Kapitalbeteiligung an Envestnet und ging eine Partnerschaft mit dem Unternehmen ein, um seine Technologie mit der von Envestnet zu integrieren. Im darauffolgenden Jahr kamen der CEO von Envestnet und seine Frau bei einem tödlichen Autounfall ums Leben, kurz nachdem der "Going Direct"-Reset unterzeichnet worden war. Nur wenige Monate später beantragten drei Demokraten eine FTC-Untersuchung gegen Envestnet/Yodlee wegen Bedenken hinsichtlich des Datenschutzes für die Verbraucher (das ist lustig), wodurch Envestnet im Wesentlichen unter Druck gesetzt wurde. Dies ist nur die Spitze des Eisbergs, aber es ergibt sich ein gutes Bild, wenn man die nachstehende Zeitleiste betrachtet. Diese Zeitleiste hätte weit über 30 Seiten lang sein können, um die Beteiligung von BlackRock zu erläutern, da sie die NWO-Finanzshow leiten - aber dies ist dazu gedacht, das Bewusstsein der Menschen zu schärfen, damit sie ihre eigenen Banken untersuchen und selbst Entscheidungen darüber treffen können, mit wem sie Bankgeschäfte tätigen und wie sie ihre Finanzdaten und Finanzen schützen wollen.
BlackRock hat drei hochrangige Positionen im Weißen Haus inne, verwaltet 7,8 Billionen Dollar an Vermögenswerten anderer Leute und ist damit der größte Vermögensverwalter der Welt. Der Konzern ist unter den drei größten Anteilseignern aller großen Unternehmen und Branchen (sehen Sie selbst nach), investiert in großem Umfang in den "Klimawandel", meidet fossile Brennstoffe und hat einen Großteil seiner Konkurrenz verschlungen. Die Spitzenreiter BlackRock und Vanguard werden bis 2027 voraussichtlich 20 Billionen Dollar verwalten. Es ist keine Überraschung, dass BlackRock und das Weiße Haus in den Regierungen Clinton, Obama und Biden eine Drehtür hatten und haben. Nicht nur das Personal wechselt zwischen den beiden Unternehmen, auch Vorstandsmitglieder von BlackRock wie Cheryl Mills, die während der Zeit der Clintons im Weißen Haus für beide tätig war, scheinen zu BlackRock überzulaufen. Sie sind die Entwickler des "Going Direct Reset" und helfen, den Weg zu ebnen.
Unter dem Deckmantel der "finanziellen Wellness" und des "klimabedingten Finanzrisikos" haben sie die Finanzindustrie dazu gebracht, die Finanzdaten aller Menschen zu rationalisieren und zu überwachen, so dass sie sie durch ein soziales Bewertungssystem kontrollieren, Ihnen sagen können, wie und wo Sie Ihr Geld ausgeben sollen, und das, was ihrer Meinung nach an das Finanzamt gehen sollte, abschöpfen können. Darüber hinaus werden Billionen von Dollar den Besitzer wechseln, von den älteren Menschen zu den Millennials - und diese Leute haben in all dem ihre Finger. Schauen Sie sich den kompletten Zeitplan an, um zu verstehen, wie sich all diese Maßnahmen auf alle auswirken.
Wie ich bereits letztes Jahr anmerkte - als die Stimulus-Schecks direkt eingezahlt wurden - geschah dies, um eine umfassendere Datenbank zu erstellen, als sie sie bereits über die Bankkonten der US-Bürger angelegt hatten. Das war nur ein weiterer Baustein in ihrem großen Plan. Es ging nie darum, Groschen auf Ihr Konto zu bekommen, um Ihnen zu "helfen". In diesem Zusammenhang gelang es den PPP-Kleinunternehmensdarlehen auch, Finanzdaten über Kleinunternehmen und Landwirte im ganzen Land zu erhalten.
Dies war der größte manipulierte Vermögenstransfer, den dieses Land je erlebt hat. Das Jahr 2020 wird kristallklar werden, wenn Sie diesen gesamten Bericht gelesen haben.
"Einblicke" = Überwachung und Kontrolle
Wenn Sie sich Ihr Bankkonto ansehen, suchen Sie nach "Drittanbietern" und "Aggregatoren". Vielleicht stoßen Sie auf eine Erklärung wie die meiner Bank, warum sie Ihre Daten sammelt. Sie verpacken das Ganze mit viel Schnickschnack und suggerieren, dass sie das für Sie tun … "Sie möchten vielleicht, dass wir Ihnen nützliche Einblicke in Ihre Finanzen liefern …, damit Sie klügere finanzielle Entscheidungen treffen können." Wieder einmal wird Ihnen versichert, dass Sie nicht intelligent genug wären, um Ihr eigenes Geld zu verwalten, so wie Sie ein intelligentes Haus, ein intelligentes Telefon und eine intelligente Stadt brauchen, um zu überleben.
DIES ist der Rahmen für das soziale Punktesystem. So wird es gemacht: Indem man Ihre Gelder auf Ihren Bankkonten kategorisiert und gleichzeitig ESG-Bewertungen (Umwelt, Soziales und Unternehmensführung), die von anderen Finanzinstituten vorgenommen werden, in Bezug auf Investitionen zuweist. Diese werden wahrscheinlich auch auf Ihre Bankkonten angewendet werden, insbesondere mit Bidens neuer Durchführungsverordnung.
Die Kategorie "Einkommen" wird zwar nicht in der Dropdown-Liste aufgeführt (zumindest bei meiner Bank), aber sie ordnet verschiedenen Einlagen "Einkommen" zu, auch wenn es sich nicht wirklich um Einkommen handelt, was unter den einzelnen Einlagen ersichtlich ist. Letztendlich werden sie auch eine "ESG"-Spalte für klimabezogenes Tracking einrichten.
Sehen Sie sich diese 6-1/2-minütige Videozusammenfassung an, die The Sharp Edge auf der Grundlage dieses Berichts produziert hat. Es enthält zwar nicht alle Details in der ausführlichen Zeitleiste unten, fasst aber vieles über diese finanzielle Übernahme zusammen.
Die Zeitleiste spiegelt die wichtigsten Aktionen von BlackRock, Envestnet/Yodlee, Biden, der Federal Reserve, dem US-Finanzministerium, den Banken und dem IRS wider.
Diese Zeitleiste zeigt Ihnen nicht nur, wie diese Aggregatoren Ihre Daten abgreifen, weitergeben und den Rahmen für ein Sozial- und Klimabewertungssystem schaffen, sondern auch, wer dahinter steckt, wie sie diese Show veranstalten und wohin sich dieses Spiel entwickelt.
Auf diese Weise zielen Envestnet und wahrscheinlich alle Finanzinstitute darauf ab, dass die Menschen "die digitale Revolution annehmen". Sie sehen Millennials als "gewöhnt an Technologie und soziale Medien, und sie wollen nichts anderes, wenn es um ihr Finanzleben geht."
Envestnet wurde gegründet
Judson Bergman und Bill Crager gründeten Envestnet in Chicago, Illinois, und haben inzwischen Niederlassungen im ganzen Land. Sie verfügen über zahlreiche Marken, die alle von Faegre Drinker Biddle &Reath LLP, nur eine halbe Meile von ihrem Büro entfernt, eingetragen wurden. Envestnet hat im Laufe der Jahre eine ganze Reihe von Unternehmen übernommen, darunter FolioDynamix, FDX Advisors, PIEtech MoneyGuide, Yodlee und andere.

George Orwell´s "1984" became to blueprint cyanotype for our dystopical reality,, 07.01.2021
Population control and the new world order (NWO)
Von John W. Whitehead & Nisha Whitehead
"If you want to get an image of our future, imagine yourself a boot treading upon a face - all the time.", George Orwell, 1984
28. Juni 2021, The Rutherford Institute
Read it with care: George Orwells (25. Juni 1903 - 21. Januar 1050) fiction became a manual for the modern, omnipresent surveillance state.
More than 70 years ago, Orwell, dying with fever and bloody fit of coughings - urged to warn in the roman 1984 against the arise of a society, the unhalted misuse of power and mass maniipulation, faschism and totalitarity as a result of the increasing use of technology.

OKWorld Economic Forum / Cyber Polygon: Power off each device from the internet,, 06.29.2021
A little video intimating the solution for protection of the Cyber Poligon Simulation for each possible "cyber attack" as an aim for the event: The abolition of the internet.

Increasing amount of cyberattacks
Clinics in the visor of hacker
,, 28.06.2021

OKMicrosoft does not have to fear a class action lawsuit against Windows 10,, 11.30.2015 | 14:41 o´clock | Denise Bergert

#WE#TOO: Computer - es geht (ging) kaum noch kaputter: Company smashing of Facebook, Googke, Amazon, Microsoft, Intel (Meltdown&Spectre), Apple and many more west-companies multi-times postulated by many organistations and persons
Details in future!

Betrayer&1#8;s getting serious hard to investigate
Hunderte Spendenmillionen versickern
,, 09.07.2019
Nach Recherchen von Report Mainz werden jedes Jahr Hunderte Millionen Euro an Spendengeldern nicht ordnungsgemäß verwendet. Die Rechtslage macht es Betrügern dabei leicht.

"I have never been betrayed like that!"
#34c3: The eavesdropping programs of the secret services
,, 29.01.2018
"Ich bin noch nie so belogen worden", sagte Hans-Christian Ströbele über seine Arbeit im NSA-BND-Untersuchungsausschuss. In einem Gespräch mit Constanze Kurz resümiert der grüne Politiker die Ergebnisse der parlamentarischen Untersuchung.

Expert about privacy: "I always ask myself, why the people do still make it through",, 09.06.2019
Marc Al-Hames kennt alle Tricks der Werbeindustrie. Im Gespräch mit dem Stern erklärt er, warum die plötzlichen Datenschutz-Bekenntnisse einiger Konzerne nicht ernstzunehmen sind und was der größte Unterschied zwischen Apple und Google in puncto Datenschutz ist.
[...]."Facebook zum Beispiel hat Privatsphäre nie verstanden und versteht sie auch jetzt nicht."
[...] "Umfragen zufolge liest der Großteil der Nutzer keine Geschäftsbedingungen und stimmt allen Anfragen zu."

OKUnwanted agreements
Howto change your data settings for more privacy at Telekom, Vodafone and o2
,, 05.08.2021

OKInnvoation of Apple
No tracking anymore - what does it mean?
,, 04.28.2021
What does come new with iOS 14.5?

... might be simliar to the computer...:

OKAccording to a study smartphones do share our data each four and a half minute, uncutnews, 31.03.2021

OKAndroid-Studie of Professor Leith: Google-Handies do send away twenty times more data than iPhones, CHIP, 04.04.2021
Android-malware: Howto protect users against fake-updates

Except from non-profit organziation (that still should be viewed upon in News&Links critically) and some Raspberries, secure tor-relais (entry guards and exit nodes) are serious hard to find!

Digitalcourage e.V.,
Since 1987 Digitalcourage e.V. is engaged in basic rights, data (privacy) protection and a livable world in the digital age. We are technique affine, but defend against our democracy getting "given away and sold out".
Since year 2000 we confer BigBrotherAwards. Digitalcourage is non-profit, financed by spends and is living from non-profit work. More about our work:
Get more to know about Digitalcourage from News&Links too!

OKDuring my last updates few days ago I have noticed the following ... under system - securityt ... each steps one does, goes and went, each side, even outside of the www...., is stored in the background, by date, time and location !, Pia Berling @, 24.11.2020
Go into the system settings (system control) and deactivate all ticks!
Then delete under the action history, that is part of a network with the Google account and others!
But there is still not any gurantee, that your activities won´t be prosecuted completely anymore... at least one has done something against it!
My opinion is, that it is a good thing to deactivate the total eavesdropping.. by deactivating Cortana ( Linux-aquivalent to krunner and akonadi -> includes of akonadi through akonaditray) ... (what I all have already made long ago), to put of the cameras too, to use them only, if really needed! ... and further on ...

Software combine SAP
With data theft to the too of the world?
,, 11.12.2021
Nach Recherchen von Fakt und dem "Spiegel" könnte der Diebstahl von geistigem Eigentum durch SAP eine lange Tradition haben. Bereits von 1997 bis 2008 soll der Konzern in Kooperation mit Universitäten Entwicklungen von Mitbewerbern missbraucht haben.
Neu aufgetauchte interne Dokumente werfen einen düsteren Schatten auf den Softwarekonzern SAP, dessen Management und den Aufsichtsrat. Nach Recherchen des ARD-Magazins Fakt und des "Spiegel" drängt sich das Bild eines Unternehmens auf, das sich offenbar auch mit unlauteren Methoden, vor allem Diebstahl geistigen Eigentums, an die Weltspitze getrickst hat.
Die Vorgänge reichen bis zurück in die 1990er-Jahre und sind in einem Gutachten der Wirtschaftskanzlei Linklaters von 2010 festgehalten. In Auftrag gegeben hatte es SAP selbst.
Hintergrund war der damalige Rechtsstreit mit Oracle. Der US-Erzrivale hatte SAP 2007 verklagt, weil die Deutschen durch die Übernahme des Softwaredienstleisters TomorrowNow an urheberrechtlich geschützte Dateien von Oracle-Servern herangekommen waren. In einem Vergleich musste SAP später 357 Millionen Dollar Schadenersatz an Oracle zahlen.
Im Zentrum steht ein Hopp-Vertrauter
Das Linklaters-Gutachten sollte klären, ob Haftungsansprüche gegen den damaligen Vorstand Gerhard Oswald bestehen - Oswald war für die TomorrowNow-Übernahme zuständig. In dem Dokument finden sich zahlreiche Hinweise darauf, dass Oswald und einer seiner Mitarbeiter von Urheberrechtsverletzungen wussten. Zudem soll der damalige SAP-Vorstand unter CEO Henning Kagermann alles gebilligt haben.
Die Konzernspitze zog aus dem Gutachten indes keine Konsequenzen. Oswald wurde sogar befördert, obwohl die Linklaters-Juristen empfohlen hatten, sich von ihm "geräuschlos" zu trennen. Oswald, ein Vertrauter von SAP-Gründer und Großaktionär Dietmar Hopp, blieb bis 2016 im Vorstand und sitzt seit 2019 im Aufsichtsrat.
Dubiose Kooperation zwischen Uni Mannheim und SAP
Fakt und "Spiegel" berichten zudem über eine dubiose Kooperation von SAP mit der Universität Mannheim ab 1997, bei der abermals Oswald eine zentrale Rolle spielte. Auch sie ist Gegenstand des Gutachtens. Offiziell ging es bei der Kooperation darum, Konkurrenzsoftware durch ein unabhängiges Institut untersuchen zu lassen, in diesem Fall die Forschungsgruppe Wirtschaftsinformatik der Uni Mannheim. Tatsächlich hätten SAP-Mitarbeiter unter dem Deckmantel der Kooperation die Konkurrenz ausspioniert. Selbst Interventionen der Rechtsabteilung, des Compliance-Teams und der Revision seien weitgehend ignoriert worden.
Nach Informationen von Fakt und "Spiegel" zog SAP bis vor das Bundesverfassungsgericht, um die Staatsanwaltschaft Mannheim daran zu hindern, das Gutachten als Beweis in einem Ermittlungsverfahren gegen die SAP-Vorstände wegen Urheberrechtsverletzungen zu verwenden. Die Beamten waren auf das Dokument 2011 bei einer Razzia in der Konzernzentrale gestoßen.
Das höchste deutsche Gericht nahm die Verfassungsbeschwerde seinerzeit nicht an. Das Strafverfahren gegen die Vorstände wurde Ende 2017 eingestellt, SAP musste allerdings 250.000 Euro an die Staatskasse zahlen.
SAP teilte auf Anfrage mit, die Urheberrechtsverletzungen von TomorrowNow seien Gegenstand des Verfahrens mit Oracle gewesen, das einvernehmlich beigelegt wurde und abgeschlossen sei. Die Vorgänge rund um die Universität Mannheim seien intern umfassend aufbereitet worden. Der Schutz geistigen Eigentums bilde das Fundament aller SAP-Lösungen.

United Absurdistan - Judas Judäa - USA-81/82/1911/The Empire- US-republicans (quot;the farmer-party") & Co.
Do we all have to mutate now (since 1981/82) into his (labor-)rats or pigs, cows and battery chickens?
... in order to create and fead the growing big elefant in dizzier and dizzier heights?, someone once wanted to know.
Clever and Smart, NY83 (oh, by the way company foundation year of Microsoft...): "The next number without net!"

OKAllicance: Five Eyes, Nine Eyes, ...
"We kill people on the base of meta-data"
Hacking and Eavesdropping
,, 02.24.2020

"Üh, äh, böh: This is as stupid as Windows!"
,, Linux Forum

OK"Thank you, Linux, you have made Microsoft rich!"
Hard to install Linux, hard to configure, hard to secure it really up, many updates, not all device drivers, discussable design, changing libraries, unsolved dependencies, missing software for special professional business work...
Debian based on the package-manager dpkg, syncatpic and just the for a long time based awful rare feautered, shaby aptitude, while Mandriva awaits with rpm, urpmi, yum and the user-friendly drakconf for administration ...
System crashed serious hard up to dbus-update from year 2019.
KDE caused system breakdowns. It got stable for the first time since a python-update in 2016.
A lot of lacks in security and weak points (exploits) had to be solved.

Welcome in the virtual world - Security and more in the internet,, 12.07.2021
The internet has changed the society inherently. Not just 50 years before, the telephone set in the own house was seldom.
Today billions of people are surfing each day in the internet, what has led into plenty of changes in many sectors. If advertisement, if criminality, all this happening in the real world became partially true within the net. But how can you protect against its criminality and what advantages does the web provide for companies?
[...] There are plenty of betraying methods and criminalse got more und more inventive. Indeed, meanwhile authorities found out the machination and police authorities have got more and more to do with the inverstigation in virtual crime. However wants to achieve a high security level must pay attention to many important factors.

Our LONGTERMED-kernel: kernel-5.4.269-pclos1 (pclos2024) from PCLinuxOS (pclos), kernel-lt-5.4.219-1.el7.elrepo.x86_64 with perf (el7.elrepo) from,

[ UNSOLVED: kernel-5.4.134 and actual kernel-5.4.151: unwanted root-processes got highly active causing many readwrites onto harddisc, whenever starting Pale Moon and tor (el7, rosa2016.1) each surrounded by firejail (OpenSuSE 15.2) ]
E-mail from Gooken to kernel-maintainer Greg Kroah-Hartmann and other Linux-kernel-experts

Date: 07.24.2021
Subject/Betreff: Unwanted hyperactive root-processes reading and writing out the whole SSD/harddrive ! / Kernel-5.4.134 (pclos) -> Apparmor / Tor (OpenSuSE) usw. etc.: Freigabe von Informationen, Ausführen von Code mit höheren Privilegien und beliebiger Kommandos in Linux, Erzeugung, Lesen und Überschreiben beliebiger Dateien

Hi, Greg, dear Linux experts and friends,

this is one of the most dangerous and worst things, Linux can happen!
Refering to the actual kernel 5.4.134 ( now up to the actual version 5.4.151 and higher, additional remark from 10.08.2021), there still is a problem with root-processes activated running highly active (making the tower-LED causing readwrites onto harddiscs and making the SSD/harddrive blink serious-madly hard during up to 20 minutes). The whole SSD/harddrive seems to get read out and overwritten!

The unwanted, highly by tor (pclos, mga7) resp. firejail activated kernel-root-processes are named

kworker/u2:1-kcryptd/253:2 (escpecially this one, CPU: gt; 10%, sometimes over 3600 % measured by ksysguard)
dmcrypt_write/2 and

Now these processes (that might always get activated) make up the system (of the processes) through their unexpected high activity greater all other ones, even X11/X, making the LED for readwrites of my tower always blink !

This occurs since kernel around 5.4.134 (and again in 5.4.151), whenever I start browsing (with Pale Moon), activating firejail and tor (el7) too. Both, Pale Moon and tor are always started within firejail. The LED seems to blink (and processes work such active) until tor builds up the connection to a Guard node.
Please patch the kernel-5.4 to prevent it in future!
Please patch the kernel-5.4 to prevent it in future!

Appendix by firejail (OpenSuSE 15.X) needed by tor (rosa2016.1, mga7) must be the cause for the activation as much as high activity of some root-processes!
I have got no other explanation.
Kernel security module apparmor itself got deactivated within the kernel by my boot-parameters "security=none" and "apparmor=none".

After tor and firejail version got changed from OpenSuSE 15.X to mga7 (firejail) resp. to CentOS el7 (Tor), so that is not required anymore, such root-processes did not get activated resp. active too much!
But they did appear unexectedly again in kernel-5.4.151 !
Restoring Linux with kernel-5.4.150 from my rescuing media (one more 128GB-SSD), this problem disappeared - no such root-processes started. But I do not believe it got really solved by this or generally!

So I still await your patches for kernel-5.4.


Thanks a lot for your answer!

No, no malware, all is linux (rpm) checked well,
no, nothing can cause it - except, as you wrote, a browser-extension.

I do believe more in firejail as the reason.

Yes, Pale Moon starts within sandbox firejail and the start envokes tor too. An extension or firejail might be faulty, but why should kernel-root-processes react that way each time Pale Moon gets started?
The kernel should find out it itself, not making himself to such threatening jerk, whenever the user just wants to surf in the internet!

Hello, today it manages us (Gooken) to prevent the highly active kernel-processes from above after a look into the home-directory of tor (/home/surfuser).
There the size of a file increases all the times during the activation of tor surrounded by firejail (that causes the high activity of the kernel-processes), it is named:


and its size was incredible high (much over 100 MB)!

It prevents Tor from building up any connection, so I had to wait up to 20 minutes.

Deleting it did not help: This file occured and larges its size again.

So we set integrity on it (this file) by "chattr +i" and belonging firejail-rule. Now the problem described next indeed got solved, Tor immediately builds up connections, kernel-processes activity lowered to the current percentage far below 10 percent and the tower-LED for readwrites stopped blinking,
but nevertheless this is not really a good solution,
tor or firejail and kernel (here 5.4) of course still have to get patched ! ( !!! )

[ UNSOLVED : Linux, all kernel, all LUKS (cryptsetup): Already the login for the mount of the LUKS-encrypted root-partition during the boot each trial fails !, Gooken, 06.06.2022 ]
This happens because of the wrong coding of special chars making up the password typed in from keyboard, so that the paragraph sign ("§" might be taken as a "#" and further more.
Even the further below mentioned assignments through setkey of such special chars to the meant ones (like paragraph sign for # and further more) in /boot/grub/menu.lst from below, does not help here anyhow!
The only thing to get logged into the system for the decryption of the LUKS-encrypted root-partition one can do is typing in the character following such assignments, so that the paragraph sign and further more is understood as they should. So make yourself confident with the character sets from keyboard how they got really get understood by Linux. We hope, this all gets patched one d

setkey y z
setkey z y
setkey Y Z
setkey Z Y
setkey equal parenright
setkey parenright parenleft
setkey parenleft asterisk
setkey doublequote at
setkey plus bracketright
setkey minus slash
setkey slash ampersand
setkey ampersand percent
setkey percent caret
setkey underscore question
setkey question underscore
setkey semicolon less
setkey less numbersign
setkey numbersign backslash
setkey colon greater
setkey greater bar
setkey asterisk braceright
timeout 10
password --md5 ...
default 0
title 008win1smp
password --md5 $.../

[ UNSOLVED: Kernel-5.10.52 (pclos, PCLinuxOS) causes restarts during the boot of KDE (4.3.4, 4.4.9 and 4.4.11-update-mix out of el6-mdv2010.2-OpenSuSE11.2-kukuk) right before the KDE-welcome-sound is played ] and udev-hotplug does not exist anymore
This problem remained unsolved: Using Kernel 5.4, this problem got not solved by us, Gooken.
Maybe this kernel gets patched by linuxfoundation in future.

IT-Security is the kind of "game"; to reach the highest IT security level as possible. Its aim is to escape from the sun-eating of the evil suneater ("computer"), by mutating him (the suneater resp. "computer") into a real computer - including its boundarires resp. connections within all his nets... ( do not ask us for all the people having already lost this "game" ...). We´d like to play it in the manner of the popular game "Mensch-ärger-Dich-nicht": hook by hook :

OKGooken provides 1000% IT-security: Just follow these green hooks!

Lifetime-hardware from our data sheed: mouseclick-fast upon Celeron

OKTip from CHIP: Resign from MS Windows, CHIP, 18.09.2020
We do have a special security tipp for you. Whoever wants to protect effectively, says Windows good bye, in order to restrict hackers the room for attacks.

But the enourmous advantage of the "reference-highschool-operating-system" UNIX/Linux: opensource, high support with updates, all kind of software of all rubriques and coleur, especially server (like httpd/Apache) and databasis (like MySQL): all inclusive. 1000% security can be achieved, as we are going to describe here!

OKNotice: IP2Location C library enables the user to get the country, region, city, coordinates, ZIP code, time zone, ISP, domain name, connection type, area code, weather info, mobile carrier, elevation and usage type from any IP address or hostname. This library has been optimized for speed and memory utilization. The library contains API to query all IP2Location LITE and commercial binary databases. Users can download the latest LITE database from IP2Location web site using e.g. the included downloader.

OKYou are looking for good (secure anyonymizing) tor nodes, good entry-, middle- and good exit relais, of NGOs from secure countries? Then you are at the right place here and within our section News&Links!

OKIn contrast to the all in all quit compact, a registration requiring Debian Gooken presents a complete, especially a concrete solution for real security in concept on the base of UNIX-Linux-filesystems like ext4, btrfs and reiserfs. A lot of points and links refer to sources from Debian, while they got changed into more concrete methods - following the right security concepts. Also we did not like dpkg much in comparison with rpm same in design, structure and detail for the belonging packet-search-engines versus with mirrors like Too many clicks have to be made for Debian until a download of a package really starts. Methods sink down in very much hugh-large theory and all its possibilities in Debian.

Gooken&#s points origin in the cheap, economy and exemplary hardware listed in the data-sheed and by LUKS/dm-crypt/cryptsetup encrypted UNIX-/Linux-filesystems, those with useful owner-, group-, and access-rghts). At last an (at this time still not complete) online-(security-)check is possible to check out the browser.

UNIX/Linux is a "password-system". The main idea of UNIX/Linux is the creation of a password-protected account for each in the net communicating program (server or client), the isolation of each account from other ones resp. the setting of belonging access-rights, followed by the configuration of each of such programs (like /etc/httpd.conf for Apache, /etc/squid.conf for Squid and /etc/samba.conf for Samba (LAN) etc.) and the performance of further methods like for the pervention of chrooting by system-configurations and especially sandbox Firejail.

Beneath general system-wide configurations the rights for more or less all of the system-administrator root and similar user resp. accounts have to get restricted too, while normal user accounts can even get locked completely. An important restriction for even root (uid 0 and gid 0) is enpossibled especially by firewall Linfw3, that can completely prevent its net-access!

1000% IT-security: following Gooken always as concrete as possible - not only for Linux, but also for MS Windows and Smartphones (section Smartphones also from left menu) - for Android as much as iPhone!

( This all reminds us inourdays more or less of Trump in the role of the US-president. Many critics against the multiple previous convicted notorious liar have arised and actually do come up, all not feeding concrete enough in the for more then 150 years unchanged state constitution, so that Trump, past maneuvers as the exchange of the judges of the Supreme Court, still was able to beware his role us a legal president of the United States, details see Gooken in section News&Links#Trump ! )


Open DIN-norm for open hardware

Following our excurs, Linux will become a keyword-/password-system!
Get rid of all problems with your computer! You won´t have any troubles with your computer and computer-system anymore! This became really possible since 2010 Enterprise Linux resp. "Universal Linux" was released upon the TÜV Rheinland certified hardware listed in our section data sheed! Only the installation process will make its efforts. Of course you have to update the system with Enterprise Linux:
Gooken presents you "Universal Linux" especially on the base of the longer than 10 years updated Enterprise Linux 6, 7 and 8, CentOS C6, C7,. .. ( Fedora Core, RHEL6, CentOS 6 (same for CentOS 7) resp. Scientific Linux 6 resp. 7) and/or resp. additinally the Mandriva-derviates (Mandriva2010.2-2012, Mageia 1-7, Rosa2014.1, 2016.1, PC Linux OS (pclos)) and some Slackware (slack 14.2) and OpenSuSE (Thumbleweed, 15.2, 15.1, 15.0) including KDE-Desktop-Environment (KDE) and other Desktop Environments - the 1000% secure made computer operating system, full of surface covering, prototyped, almost rpm-based software, incl. emulators for many programs for other operating systems, together with the belonging everlasting lifetime-hardware running mouseclick-fast upon "Universal Linux" on low power consumption and lowest costs listed in data sheed from left menu - and all quit for free!

OKgtk3 (el7): gtk3 (el7, rpm -i --force --nodeps), cairo ( el7, rpm -U --force, cairo-gobject (el7), glib2 (el7, beneath glib2 (el6) by rpm -i --force --nodeps), libepoxy (el6, el7), libxkbcommon (el7, rpm -i --force), fontconfig (el7), fribidi (el7), gdk-pixbuf2 (el7), glib2 (el7), harfbuzz (el7), jasper (el7), jasper-libs (el7), libblkid (el7), libexpoxy (el7), libjpeg-turbo (el7), libpng15 (el7), libmount (el7), uuid (el7), libuuid (el7), libwayland-client (el7), libwayland-curser (el7), libwayland-egl (el7), libxkbcommon (el7), libthai (el7), pango (el7), rest (el7) and zlib (el7). pango (el7) won´t let work drakconf (mdv2010.1), file-roller (el6) and palemoon for example. In this case, keep the old libpango (el6) by resigning from libpango out of pango (el7), same for libgio and libgobject of glib2 (e7) and libgdk_pixbuf of gdk_pixbuf2 (el7). If you have problems installing glib2 and gtk3, enpack the rpms and copy their includes (directories and files) manually into the pregiven directories by the command "cp -axf".

In order to approach CentOS 7 / SL 7 with CentOS 6 / SL6, you might want to install systemd (el7) too...

EU-finanzierte Cybersecurity-Firma die "anonymes" Schnüffeln und Fernsteuerung von Netzgeräten entwickelt, @, 16.06.2021
[...] Die Erstellung und Verwendung des verschlüsselten Chats ANOM, der im Mittelpunkt der jüngsten behördenübergreifenden Operation gegen das organisierte Verbrechen stand, wurde als Beispiel angeführt. Die App enthielt einen geheimen Hauptschlüssel, der es den Strafverfolgungsbehörden ermöglichte, Nachrichten im laufenden Betrieb zu entschlüsseln und aufzuzeichnen.
"Wir machen uns Sorgen darüber, dass Geheimdienste Hintertüren haben… Die meisten Leute denken nicht darüber nach, dass Geheimdienste die App tatsächlich erstellen, um Leute zu fangen", sagte der CIA-Whistleblower John Kiriakou kürzlich in einem Interview mit RT über diese Operation.
"Ich denke, wir sollten alle einfach davon ausgehen, dass unsere Kommunikation, auch unsere verschlüsselte Kommunikation, überwacht wird," sagte Kiriakou, der sagte, die Episode war eine ernüchternde Erinnerung über die Grenzen der Online-Privatsphäre für diejenigen, die naiv zu glauben, digitale Nachrichten sind sicher vor Schnüffelei.
Anfang dieses Jahres aktualisierte die EU ihre Regeln für den Export von Technologien mit doppeltem Verwendungszweck, einschließlich Cyber-Überwachungsinstrumenten, um "Menschenrechtsverletzungen und -missbrauch zu verhindern". Die neuen Vorschriften wurden jedoch von Datenschutzorganisationen als zu schwach" eingestuft, um als Schutzmaßnahme zu dienen.
Weder das Unternehmen noch die europäischen Behörden haben auf den Bericht reagiert.
Quelle: EU-bankrolled cybersecurity firm develops intrusive tech that allows ´anonymous´ snooping &remote control of net devices - media

OK (Planned in future) Vienna, net-communiciaiton: Free from eavesdropping with the help by quantum physics?,, 16.12.2018
Whoever communicats in the internet with eachother, he leaves tracks within the internet without fail. Research scientists from Vienna invented a new method making communication free from eavesdropping even in larger networks.
In future the quantum cryptography enables a eavesdrop-free communication in the internet. Researchers from Austria have - following their own descriptions - made the important step. It managed them to keep four members of a network communicate free from eavesdropping. Scientists around Rupert Ursin from the Institution for quantum optics and quantum information of the academia of sciences in Austria introduced their research in the british expert report "Nature".

36 millionen Euro: ZITiS builds supercomputer for encryption
,, 16.10.2018
The hacker-authority ZITiS in Germany intends to buid a supercomputer for the deciphering of encrypted um data. This follows the 36 Millionen Euro lasting draft budget of the authority we ar publishing. ZITiS still searches for state-hacker, while actually only half of the places for this work are staffed.
German Federal Ministry of Internal State

Secure method
End-to-end-encryption is a method popular within application of daily communication technology. This technique has been used in messengers like Signal, WhatsApp or iMessage for years. End-to-ende means communication transfer without any breaks. Transferred contents can only be decrypted and read out at the end points of each communication partner.
Encryption technique is nothing to argue, it depends on mathematic, a science that is non-ambiguous.
Wie die Kommunikationsanbieter ProtonMail, Threema, Tresorit und Tutanota in ihrem Gegenstatement auf den Punkt bringen: "Der aktuelle Entwurf der Resolution des EU-Ministerrates beruht auf einem eingeschränkten Verständnis der technischen Aspekte von Ende-zu-Ende-Verschlüsselung. Denn Ende-zu-Ende-Verschlüsselung ist absolut, Daten sind entweder verschlüsselt oder nicht.
[...] Obwohl bisher noch nichts entschieden ist, raten Datenschützer:innen und Expert:innen dazu aufmerksam zu bleiben. Es ist zwar noch kein Gesetz im Entwurf, die Annahme der Entschließung bereitet jedoch einen Weg für einen Entwurf der Kommission. Die zuständige EU-Innenkommissarin Ylva Johansson äußerte sich zuletzt ambivalent.
Zwar teilte sie in einem Schreiben EU-Abgeordneten Anfang Januar mit, dass es keine Pläne gebe, Verschlüsselung zu verbieten. Allerdings fügte die Kommissarin hinzu, "weiterhin gemeinsam mit den Mitgliedstaaten mögliche rechtliche, operative und technische Lösungen für den rechtmäßigen Zugang zu solchen Daten zu prüfen."

Survey of the internet node: DE-CIX sues BND, Tagesschau, 22.04.2015
The BND is taken into response before law for his surveys of the net-node DE-CIX in Frankfurt at Main. The holde of the node is going to sue. Criticizer do also sue the government for making tricks. Arond thre terabit data per second are passed and overworked, an amount of 600 CD-Rom. To the customers count all big internet companies like the Deutsche Telekom, Vodafone and Verizon, more details see Links, section "NSA, GHCQ & Co.".

... one more exception of our promise "Gooken 1000% - 1000% IT-security for your computer" grounds in webside code. Although tracking-scripts resp. JavaScript can (and should) be deactivated, information still are and can be stored in local as much as spreaded out into any PHP-MySQL coded databasis. Local isn´t the problem, but nevertheless, for this distribution of information into all kind of foreign databasis, an unusual release of the databasis-passwords is required,
but we really assume, they do!

But the exchange of DNS-information, canvas fingerprinting and the storing of the browser-user-agent-specification can be prevented as much as anonymizing proxies do, especially like TOR and/or maybe some VPN (Virtual Private Networking) at last for the anonymization of the IP !

An important part for the securty is taken by Linux-filesystems like btrfs and ext4 and our iptables- and ebtables-firewall linfw3 !

Beneath this we especially want to contribute on our websites to your choise of the right computer-hardware, the securing configuration of UNIX/Linux and the right choice of TOR--Nodes (so called EntryGuards and ExitNodes resp. Relais), in the last case even by the specializing sides News&Links! For more questions and questions of all kind of any matters our secure search engine Gooken wants to do its best.
Overwhelming, already everywhere published floods of information, reports over reports (material) out of the well-known best and very best sources within our section News&Links at last gives you one of the best opportunity ever to do something against responsible dangerous instances, more than endangering countries (like especially USA), companies, mandants, clients and persons by name - even by processing right before law against, what already has become deep, deep reality for decades!
What our party concerns, please do nothing but notice our general disclaimer!
So far our short description, the summary of Gooken!

OKTransport encryption part 3, HTTPS with TLS 1.3 in practice, 06.11.18 | author / editorial staff: Filipe Pereira Martins und Anna Kobylinska / Peter Schmitz
TLS 1.3 promises more security for encrypted HTTPS-connections. Unfortunately the implementation is full of perfidies and suprises.
However wants to have a secure HTTPS-encryption, does the best to think once again about the TLS-configuration, as good intentions for data protection without modern transport encryption do not make any sense.
As the vulnerabilities for TLS-protocols up to version 1.2 got explored and known well (see the report "TLS 1.3 - much hot air or a big breakthrough?") it seems to be obvious, that snooping (eavesdropping on https-encrypted connections does happen much more often than one likes to accept. TLS 1.3 really helps.
All begins with the problem, that total resignment from TLS 1.2-fallback for clients with missing support for TLS 1.3 is no theme for the next time.
[...] A robust transport encryption has got its own shady sides: malware can get through without noticing.
During the use of TLS up to version 1.2 (especially by RSA-Ciphers) IT-experts are abled to examine malefic payloads of the data transfer right before passing through the company data center. The communication was read out by so-called middleboxes, it got deciphered, analyzed and forwarded. With TLS 1.3 this kind of monitoring belongs to the past, as each connection is build-up is by Diffie-Hellman-keys - no chance for the so called "deep-packet inspection", as the communication can not be deciphered in real-time as before.

Mouseclick-fast: Secure surfing with TLS 1.3
Firefox 78.5.0 (el6,, pachted with Firefox 78.9.0 (el7) except : >= Includes of lib64nss3 (mga7, pclos or nss (fc, ...) and (well-patched openssl-1.1.1d (fc29) or (certified openssl-1.1.1a, fc27) to /usr/lib64/firefox/ (installation directory)

OKWe believe, all browser became out of date: Noone´t;s more secure and better!
Orbot (Tor-Proxy) and PrivacyBrowser or Tor-Browser for Smartphones, desktop with Firefox (OpenSuSE, SL/CentOS) or especially Pale Moon (pclos, with exchange of nss (Pale Moon) with nss (el8) except libsoftokn()(64bit) ), both upon Tor?

OKGooken recommends the secure messanger Ginlo from the Deutschen Post AG for Android up from version 5

[ Next Signal messenger error got solved in version 5.34.10 ], Gooken, 04.11.2022

From: Gooken
To: Developer of messanger Signal (USA)
Permanent Signal Error Report all versions since October 2021 up to now
, Gooken, 01.15.2022 - 03.25.2022
All actual Signal versions (up from October 2021) do not delete/remove and share any messages and further on upon our Android 4.4.2 - Smartphone armabiV7a anymore, belonging menu always leads into crash followed by a restart of Signal.
We mailed this several times to you and also delivered the error log with all the system information to youi as you postulated so much from us.
So why don´t you patch it to make it work again it already did before?
And why do elder versions only run just for some days giving the hint to download the actual version?
What the hell do you patch within the many, many updates you always provide?
As Signal should run up from Android 4.4+, as you published everywhere for it´s system requirements, do not force us all the time to buy a newer Smartphone with a more actual Android anymore.
And do not let us download all your so called patched newer versions with more than scrappy 40 MB full of suspicous code each apk!
Versions before end of October 2021 do indicate only working for some days (about one or two weeks) for considering themself as too old.
What I mean is, Signal does neither share, nor delete nor ... messages anymore upon Android 4.4.2 resp. 4.4.4. The menu crashes each election!
WhatsApp´s and a lot of Apps on my Smartphone and many Linux on my Computer is working fine - how can it happen?
We have sent several Signal-debug-protocols to the developers, but they still didn´r patch it.

But at first we talk about:

OKVia Browser for Smartphones, legendary (compared with Firefox or Chrome with more than 70 MB each browser):
  • Comfortable, secure smartphone-browser, just 0.86 MB sized apk, version > 4.3.3 from 12.2021
  • OpenSource,
  • also for elder Smartphones,
  • all needed functions,
  • tabs,
  • location release and blocking
  • user agent switcher,
  • pop-up-blocker,
  • adblocker,
  • internal filter ( one more adblocker ),
  • user definable filter ( ABP-filter-rules )
  • importable lists-filter: ABP-EasyList, ...
  • importable scripts
  • ... as a general filter underlayed all filters abvoe for each webseite
  • script blocker (ABP: easy list, ...),
  • place for addons/extensions and scripts
  • incognito-mode (blocks history and cookies and further more.)
  • night mode (fine adjustable darkning)
  • More functions: favorites, share, tool box, show page source, ...
  • Quit Browser: Via Browser won´t push news and other things to you. No bother to your android devices
  • Mini Browser: Via Browser use much less memory usage on your android devices
  • less RAM-consumption
  • Version 4.3.0: well patched code (updated well)
  • ...
  • Critics: Self-descriptions of this browser are in chinese language only.
    It is still not possible to add any proxy. Thence for highest IT-security Tor-browser ( Tor Smartphones still is our favorite browser!
  • ...., comfortable and simple adjustments and easy handling
    Download out of the internet or from a PlayStore. oder Huawei PlayStore

Dear reader, please inform the developer of Via Browser Tu Yafeng about the next issue!:
Email from Gooken to

here´s Gooken.
Please forward this e-mail to the devoloper of VIA Browser Tu Yafeng!
Refering to Via Browser 4.3.0 for Android-Smartphone, following errors occur:
Errata Via Browser 4.3.0
1 Breakdown/crash: Via Browser breaks down / crashes completely on some websites: again and again. I´m sorry not noticing belonging website-URL.
2. Language: Language input into input-text-fields is not possible in some cases, until it is changed from system to english resp. from english to system and so on. This happened several times on for example.
3. In online shops like Ebay it is not possible to click onto the buttom for the selection of the payment-method (SEPA, PayPal etc.): no reaction at all! Same for the payment itself (bottom for buying the product). During this JavaScript was always turned on and incognito mode to off. But Via Browser does not react independent from its incognito mode and adblocking or any other option!
4. Missing parts: Via browser still does not offer an opportunity to enter any proxy. We use Tor for smartphones for example and like to enter the tor-proxy based on socks5 into Via Browser.
5. Whenever scrolling the bookmarks, the following error message occurs in Via Browser 4.3.0 up to 4.3.3: "Exception Happened. Thread [main,5,main] java.lang.AbstractMethodError abstract method not implemented."
6. We certainly do not agree with the terms of privacy! Via browser exchanges data and shares them with third companies, but in our eyes that must have to do with an internal account to a chinese or foreign cloud server within its settings part one must not create. We won´t use Via Browser resp. the account, until privacy is bewared!

Please tell the author of the browser Tu Yafeng about all this by sending him
this e-mail, so that the elsewhere very fine Via Browser gets patched and
upgraded soon!
December, the 07 2021: One more errata:
All Signal messenger version since October 2021 do not enable user to mark out and delete messages anymore. Instead, signal quit crashes. This was found out upon Android 4.4.
What&s happened?
Dear reader, please contact this developer too!
BSI warns against Firefox &Thunderbird: Updates close several lacks in security, CHIP, 19.11.2020
Mozilla hat mit den aktuellen Updates für den Browser Firefox und den Mail-Client Thunderbird mehrere Sicherheitslücken geschlossen, vor denen das BSI warnt. Wir empfehlen Ihnen dringend, beide Programme möglichst bald auf die neueste Version upzudaten.

Next in-between-update for Firefox 78: Firefox 78.0.2 is ready for downloading, CHIP, 09.07.2020
Erst letzte Woche hatte Mozilla planmäßig Firefox 78 zum Download bereitgestellt. Doch es trat eine Nebenwirkung im Zusammenhang mit Suchmaschinen auf, woraufhin die Verteilung gestoppt wurde. Firefox 78.0.1 hatte das Problem behoben. Jetzt steht mit Firefox 78.0.2 das nächste Zwischen-Update an, das unter anderem ein Problem mit Microsoft Teams behebt.

Firefox 78.5.0 (el6,, patched by Firefox-78.9.0 except

OKPale Moon extensions: secret agent and/or eclipsed moon, JavaScript-toggle-buttom, script-blocker, ABL (for AdblockPlus, ABP) resp. abprime, ehprime: hide elements (any visible webside contents self-pointed out for the election per mouse leading into one more filter-rule for ABL resp abprime, noscript, RequestPolicyBlockContinued, Block Content (msdy), PermissionsPlus (extends about:permissions and this by now for each website), Pure URL, signTextJS, n-Matrix, noscript (version 5.1.9 out of rpm seamonkey-noscript (el8, el7)), CanvasBlocker Legacy, JavaScript-Toggle-Buttom, Decentral Eyes, No Resource URI Leak usw.!

Gooken recommends Pale Moon! The for more security firefox-code-reducing, but still comfortable Pale Moon is ready for tls-1.3 all upon minimal system requirements!

OKRecommended installation order of Pale Moon extensions for security: 1 Block Content Download before 2 PermissionPlus, 3 ScriptBlocker, 4 ABL, 5 Request Policy Block Continued, 6 nMatrix, 7 noscript and goalkeeper 8 Privacy Badger.

Pale Moon
Important nss-security-update end of November 2021:
nss: and can get exchanged with an actual nss (el8, el7) and nss-utils (el8, el7) easyly by the simple command "cp -fp" resp. link-command "ln"!

Can I run Firefox extensions in Pale Moon?
Yes, you can, for now. Since version 25 we´ve had the option to install (now called "legacy") XUL, bootstrapped and Jetpack type Firefox extensions on Pale Moon, despite Pale Moon being (and being identified as) a different browser. Please understand though that there is no guarantee that these extensions will work, and using extensions targeted at a different application is entirely at your own risk and you are pretty much on your own regarding support.

PROBLEM: Pale Moon 30.0.0: Menüs can not be opened, and Pale Moon does not surf anymore ! So we still use Pale Moon 29.4.4 resp. 29.4.6 (recommended by us) by now
Pale Moon 31.0.0: Each mouse-click onto any menu item causes delays of about several seconds!

An answer followed few days later by Top news from Pale Moon Org,, 21 march 2022
"Pale Moon 30 rollout cancelled. Following severe issues with the unexpected exit of a core dev and considerable damage caused to our operations, the milestone 30 rollout has been cancelled. Dabei geht der am Schluss installierte ("Torhüter, Torwart") Privacy Badger von der Bürgerrechtsorganisation EFF selbst nach vorgesehenen Blocken aller Trackingskripte mit dem Schieberegler von grün auf überalll rot, ausgenommen Facebook-Widgets, (hoffentlich) meist leer aus: Aufgelistete, vor ihm installierte Erweiterungen nehmen ihm diese Arbeit bereits ab. [...] Although we like Disconnect, Adblock Plus, Ghostery and similar products, none of them are exactly what we were looking for. In our testing, all of them required some custom configuration to block non-consensual trackers. Several of these extensions have business models that we weren´t entirely comfortable with. And EFF hopes that by developing rigorous algorithmic and policy methods for detecting and preventing non-consensual tracking, we´ll produce a codebase that could in fact be adopted by those other extensions, or by mainstream browsers, to give users maximal control over who does and doesn´t get to know what they do online."

[ SOLVED by Next problem "Pale Moon does´t start: XPCOM-error" got solved in Pale Moon > 29.4.1 ( and < 24.4.3, up from where it got solved now, rem., Gooken ) from 09.17.2021, but occured again in Pale Moon >= ! ]

Dear reader, please inform the developer of Pale Moon about the next issue, as we might not reach him!:
Email sent by Gooken
Date: 08.27.2021
Please forward this e-mail to the Pale Moon - forum and -developers !
here´s Gooken, and we want to tell you, that Pale Moon greater or equal Version 29.4.0
does not start anymore!
Started in a terminal, belonging error-message occurs:
"XPCOMGlueLoad error for file /usr/lib64/palemoon/ /usr/lib64/palemoon/ undefined symbol: g_bytes_unref Couldn´t load XPCOM."
Our GTK version is 2.24 (gtk from Enterprise Linux 6).
All previous versions up to 29.3.0 did work fine.
It would be nice to patch it (of course we can try another GTK version, if not)!

Palemoon up to now (24.4.4) still has got the sometimes arrow jumping toolbar icon during the load of some webpages.
It would be nice to patch it too.
Regards, Gooken

OKInitialization of the most important Pale Moon extension "Block Content Download" (msdy) each new start: in about::config edit /home/user/.mozilla/userprofile/user.js,by changing values of all items like permissions.*.* to the value 3, 3 for images ( that can be webbugs, that means tracking scripts with returned images ), stylesheets, objects, scripts, subdocuments and so on, that at least means "No third party allowed".

OKPale Moon extension: nMatrix
Point&click to forbid/allow any class of requests made by your browser. Use it to block scripts, iframes, ads, facebook etc.
nMatrix does also
Delete blocked cookies
Delete non-blocked session cookies minutes after the last time they have been used
Delete local storage content set by blocked hostnames
Clear browser cache every minutes
Spoof HTTP referrer string of third-party requests
Strict HTTPS: forbid mixed content
Block all hyperlink auditing attempts
Resolve CNAME records

OKPale Moon Extension: Pure URL 3.3.2 strips garbage referer tracking fields like ´utm_source´ from links and resolves short links
Beware of these links!
,, 10.27.2023
This article deals with certain link-parameters past the question mark tracking information and endangering privacy.

OKPale Moon extension: Eclipsed Moon (please notive: On websites like Eclipsed moon still sets the original useragent of the Browser. To prevent this, prefer useragent-exchangers like SecretAgent !)
By: Eurythrace Perseides
About this add-on
This add-on/extension is designed to work unobtrusively by using current, well known user agent strings and operating systems to "blend in" with the crowd. The preferred "smart" mode is designed to switch the user agent string only when no external tabs are open except for the home page, if it is an external page. The intent is to be quiet and NOT draw attention by changing the user agent string too frequently or using unique ones. It also offers an anonymity checklist for the browser settings, and has a "smart erase" feature to forget about a site when all open tabs to that site are closed. This is a COMPLETE erasure for that individual site, similar to the Delete History option when closing the browser. ALL PASSWORDS, COOKIES, HISTORY, ETC. WILL BE ERASED FOR THE SITE!
Test Package
A test package to verify the operation of the random User Agent generation may be downloaded from here:
Once unzipped, the XHTML file should be opened in a Pale Moon™ browser that already has the Eclipsed Moon add-on/extension installed. The operating mode of the add-on/extension should be set to "Page" before loading the test XHTML page. The test will then proceed to iterate a default value of 50 times and collect the statistics of the User Agents used for each iteration. Optionally, an iteration count may be passed to the XHTML file via adding a query string to the URI in the form of "?runs=100". The maximum number of iterations is set to 1000, although the JavaScript file associated with the XHTML file may be edited to change that number. There is an optional PHP file that may be loaded on a server along with the supporting files so the test may be conducted over the internet rather than on the local computer. This will use a large amount of bandwidth to run the test since each iteration will need to completely reload files from the server. The difference is that using the PHP file collects the User Agent from the HTTP header rather than the window.navigator.userAgent DOM property.

OKPale Moon extension: Certificate Patrol
"Welcome to Certificate Patrol 2.0. We introduced some improvements, that we should first explain to you.
Before we even list the details of a certificate, we first show you the certification hierarchy. That is the most important clue for oyou to find out, if you´re being tricked. An intermediate authority can put any text in the certificate, that you would like to see, but it cannot falsify the certificate checksums and its position in the hierarchy. Dangerous certificates are likely to be generated by a long list of authorities belonging to different companies or governments. Genuine ones are likely to be signed directly by a root certificate in your browser or by an intermediate creaated by the same company. All the inbetween cases are likely to be legitimate, but you can´t be sure. We are still taking guesses hsere because we steill don´t know, which root certificates in our browsers are worthy of trust. By keeping your eyes open and observing the patterns, you are a lot likelier to notice, when you are being attacked. In case of doubt, compare (by telephone) the checksums with somebody, that could not possibly be affected.
Another important change is, that we now inspect certificates for all parts of webpage, so you may see server names and domains comping up, that you never thourght youwere visiting, just because they host some Javascript or media files.
It´s also new, that you can reject all new certificate, when you see them.
That doesn´t mean, that you will be protected from using them, because we don´t have that much control over your browser.
If you don´t trust a site, you still have to close the window yourself. But it maens, that, if you bump into the same certificate again, you will be asked again. You could use this to see, if a certain website always has the same certificate, when you change internet connection. (like open it from work, then from home). Then again, if you store the certificate, you´re even safer, that the certificate is the same.
Several websites hat the bad habit of using multiple certificates for the same hostname. We consider it a configuration error on their side, but since they insist, you now have a little option of the certificate change pop-up to accept any certificate for the host as long as the issuer, that is the next higher level authority, stays the same. This should help in most cases, although I bet there are some, which are more misconfigured than that."

OKInitializing Palemoon-security-extension "Block Content Download" each new start: Type "about::config" into the address-line of your browser or edit /home/user/.mozilla/userprofile/user.js, by setting all items permissions.*.* to the value 3 for images, style sheets, objects, scripts, subdocuments (documents) and further on, that means at least onto this value for "no third parties" !

OKPale Moon security extension and tool resp. utility: Config Comments
This security extension from Tools&Utilities instead of Security from explains many items within about:config in detail. As our excurs will make a lot of changes of items within about:config, we like to recommendthis browser extension very much too!

OKPale Moon mode gecko (Goanna) - start in below 15 instead of over 70 seconds - security extension and tool resp. utility called "Expire history by days"
This security extension from Tools&Utilities instead of Security from empties the browser-history automatically. Set expire-in-days from value 0 to 1 and, following our observes, Pale Moon starts much, much faster...! The installation of this extension keeps Pale Moon from eavesdropping processes right at the beginning (Pale Moon start) too!

OKPale Moon extension: signTextJS
About this add-on
window.crypto.signText is a digital signature technology, that has been available to Firefox users for 20 years. It is used by government and banking sites. It can be used to participate in plebiscites.
The window.crypto interfaces were removed from Firefox 35 and later releases. An add-on was developed as a stop-gap measure for users; that add-on is deprecated and does not work since Firefox 57, but still work with Pale Moon.
This fork based on the original signTextJS-0.7.7 add-on by mozkeeler.

OKPale Moon extension: Modify HTTP Response
By: Off JustOff
About this add-on
Modify HTTP Response is designed to rewrite http response body using search & replace patterns.
This tool works on low level API and intended for advanced users.
Incorrect filters can cause browser freeze, hang or loose data.
Never use filters from untrusted sources or if you don´t understand them.

OKPale Moon and Firefox extension: No Resource URI Leak
Deny resource:// access to web content. We fill the hole to defend against fingerprinting. Very important Firefox privacy. A direct workaround for
block access to resource:// URIs from web
block web-exposed subset of chrome:// URIs
uniformly filter disallowed redirects
restrict about: pages by default (for paranoids)

OKClassic Add-ons Archive [External]
Catalog of classic Firefox add-ons created before WebExtensions apocalypse.

[SOLVED by Gooken: Pale Moon always stops working (halts) for about 30 seconds after getting started ]
Enter about:config into the address-line and delete (quit) all values (URL/URI) containing "http://" and "https://"!

You don´t like the design of Pale Moon? Beneath an actual version of Pale, extensions, lookout for a theme you like from many ones from!

OKPale Moon Extensions: Eventually formulate exceptions for some of them within.
You can formulate them for extension Eclipsed Moon (OpenSource from or SecretAgent (ClosedSource from manufaccturer out of UK) during the setting the browser-user-agent-specific, Noscript, RequestPolicy, n-Matrix as much as within the proxy-settings of Pale Moon. Please notice, that Eclipsed moon still isn´t able to formulate exceptions for single URI (URL).

OKSo nothing has to be done by the administrator as much as user manually in future - all gets automized - as generally possible with UNIX/Linux!

Designs and styles: Many alternative designs and stylese for Pale Moon are provided by and other locations.

OKCreate one more profile by about:profiles without many or without all (too many restrictions causing) extensions, whenever some websites get too restricted and you don´t know, how to "reset" belonging extensions from above, in order to get the rights back, by restarting Pale Moon resp. Firefox or by launching a single window for this created alternative profile ( out of about:profiles ).

Block annoying cookie-banner (telling us to allow cookies): a browser-add-on cares for less frustration during the surfing online, CHIP, 10.09.2020
Download Firefox-Erweiterung: I don´t care about cookies für Firefox 3.2.2
CHIP tested it with: good

Virusses, trojans, worms, bots: 40 percent of all computers in Germany are "zombies", FOCUS Online, 03.02.2014
The amount is alarming: 40 Prozent of all PCs in Germany are infected and can be remoted by Cyber-gangster. Once installed, malware opens backdoors for the new one.

All Intel-CPU-generations since Celeron
"We can skim out (eavesdrop) everything",, 04.01.2017
Following a newspaper report the detection of actual lacks in security within plenty of computer chips was also made by researchers from the Technical University Graz in Austria. "We were shocked by ourselves about the functioningt", said Michael Schwarz from the TU Graz to quot;Tagesspiegel".
By this leaks all data could be read out of the computer is getting about. "In principle we can read out everything typed into the computer." Attackers could gain online banking data or stored passwords
"Though for this purpose they have to get logged into or connected with the computer", restricted Mr. Schwarz.

Warning against new infostealer, that is put about through Google-Ads,, 03.01.2023
Der Sicherheitsdienstanbieter Zscaler warnt vor einem erstmals im Dezember 2022 entdeckten Infostealer, der in der Lage ist, Anmeldeinformationen von Webbrowsern, VPN-Clients, E-Mail-Clients und Chat-Clients sowie von Kryptowährungswallets zu stehlen. Die in C++ geschriebene Malware bestehe aus einem Loader und dem Hauptmodul, erläutern die Sicherheitsexperten des Zscaler ThreatLabZ-Teams. Letzteres sei für das Exfiltrieren der gesammelten Anmeldedaten verantwortlich. Es handele sich um ein bösartiges Schadprogramm, dass sich vornehmlich über Google-Ads verbreitet.

OK Huawei P40 Pro: Google does not exist anymore, CHIP, 02.04.2020
[...] ... is a salient smartphone with plenty of improvements...

From our data sheed ("... still functioning today!")

OKSmartphone HUAWEI Y360 (Y360-U61) with accessory and magnetized black leather case and charging device from expert, year 2015, for 79 Euro (I got it from a friend for free...)

Detailed, precise check: spectre-meltdown-checker (el6) resp. meltdown-spectre-checker (el6)
niue-muenzenSolution: The solution is dependent from the security-concept (excurs). Microcode, kernel-version, device drivers and CPU themself might only help partially, that means not help at all and if they help, they only mitigate problems with Meltdown and Spectre:

Take the quit old Intel® Celeron into a fast RISC-processor "mutating" microcode_ctl ( take the fastest version you can: the faster, the more unrisk the CPU (!); enfastening (almost probably running most secure, as the fastest one: rosa2021.1, rosa2016.1): microcode_ctl-1.17-33.33.el6_10.x86_64.rpm, fc29: ver. 2.1-33, ), we might recommend the mouseclick-fast microcode_ctl (rosa2021.1, rosa2016.1, el9, el8) past (upon) microcode_ctl (el6) getting installed (overwritten el6) by rpm -i --force) or ucode_intel (OpenSuSE, newer rpm for 15.3, 15.2, 15.1) and an actualized kernel-5.4 (pclos) or kernel 4.19 (pclos) or >= 4.21 (kernel 5) (we installed kernel: 5.4.110-pclos past 4.20.13 (pclos1))

Our tip: Take the cpu fastest working version!
With this version from 05.22.2023 all (data-sheed. Celeron of Mini-ITX-220) seems to work faster than even mouseclick-fast, quit fast like the time before all these microcode_ctl-updates: microcode_ctl-20230214-1.el9.noarch.rpm !.
Or, pardon: Try Microcode Updates for Intel x86/x86-64 CPUs
OpenSuSE Tumbleweed for x86_64 ucode-intel-20240312-1.2.x86_64.rpm
Clean up your Linux-System, by making as many programs run as possible. Solve dependencies, look out for any missing library, clear up different versions of perl and python and so on.
Gorgeous! With this ucode-intel processors equal or higer Celeron run even faster than already mouseclick-fast right before!

Start microcode_ctl (for example in /etc/rc.local):

echo 1 > /sys/devices/system/cpu/microcode/reload
sh /usr/libexec/microcode_ctl/reload_microcode
... or by an used processor exploring udev-rule.
or: microcode_ctl -qu

and/or start it automatically each system boot.
For this, unlock the boot-partition by command "mount -o remount rw /boot", in order to integrate microcode ctl into the initramfs using dracut ("dracut -f /boot/initramfs-... kernel-module-version").

... and mouseclick-fast not only during the night ( 21.00 - 06.00 o´clock, a time, where some server got shutdown): microcode_ctl (el8, from July 2022).over microcode_ctl (el6).
Also, for such purposes, do not forget to actualize Linux as described in our section "Universal Linux"!

Firewall Linfw3 against Meltdown and Spectre: Set group "nobody" for the group of surfuser (with primary group nobody) and only allow surfuser with one more group of surfuser named surfgroup for example (instead of nobody) to go online. Linfw3 is able to block even root (UID: root, 0, GID: root, 0). So noone is allowed to go online through Linfw3 else surfuser with group surfgroup (instead of his primary group "nobody"), what prevents device drivers from exchaning data - as in this case caused by Meltdown and Spectre To go paranoid, to make it even more confusing for kernel and CPU, set all directories and files owned by surfuser to it´s primary group "nobody".

Emulators: virtualbox (MS Windows and other OS), qtemu, qemu (MS Windows, virtual emulators of many operating systems), mingw (the MSWindows-dll) and wine (MS Windows), dosemu-freedos (rosa2014.1, MSDOS, PC-DOS), basiliskII, basilisk (Macintosh), puae and uae (Amiga), hatari (ATARI ST), vice and micro64 (VC64), dosbox, dos2unix (text format converter), yabause (saturn emulator), xroar (dragon 32, 64, Tandy coco emulator), fbzx (Spectrum), caprice (Amstrad CPC), zboy (Nintendo Gameboy), ...

Howto use Windows within Linux through Virtualbox,, 08.05.2019
Per virtualization it is possible to use software and apps for Windows for Linux too. We show, howto.
Virtualbox (el6, all Linux): VirtualBox-5.2-5.2.28_130011_el6-1.x86_64.rpm 12-Apr-2019 20:25 78M, VirtualBox-6.0-6.0.6_130049_el6-1.x86_64.rpm 16-Apr-2019 15:58 118M ( or ) from resp.
and Virtualbox: UserManual.pdf,,
Actual version from March 2020:

... r und Ersteller von Technologien zu machen, die mit uns zusammenarbeiten."
Bereits letztes Jahr hatte sich Microsoft klar dazu bekannt, trotz Protesten der eigenen Mitarbeiter das US-Militär weiter mit seinen Technologien ausrüsten zu wollen. So bewarb sich der Konzern - genauso wie Amazon - um einen Großauftrag, der die Software des US-Militärs komplett überholen und auf Cloud-Basis bringen soll. Welcher Konzern den Auftrag erhält, ist noch offen. Im Sommer schloss Microsoft einen weiteren Milliarden-Deal ab, um die Büros des Pentagon mit seinen Office-Programmen auszustatten.
[...] Kritiker sehen die Kombination aus Edge-Computing und Militär als durchaus gefährlich an. So könnten Drohnen in Zukunft auf Basis ihrer KI-Algorithmen selbst die Entscheidung zum Angriff treffen. Google hatte sich wegen solcher Befürchtungen in seiner Belegschaft entschieden, die Zielerkennung von Drohnen nicht weiter zu unterstützen.
Nadella scheint diese Gefahr durchaus bewusst zu sein. In seiner Rede sprach er auch von der Verantwortung, die KI mit sich bringt. "Wir glauben an verantwortliche KI. Man muss auch die schweren Fragen stellen, nicht nur was ein Computer tun kann - sondern auch, was er tun sollte." Die Antwort nannte er nicht.

OKBastille: Full-automatic IT-security for UNIX / Linux per mouseclick?,
"Bastille is a system hardening / lockdown program which enhances the security of a Unix host. It configures daemons, system settings and firewalls to be more secure. It can shut off unneeded services and r-tools, like rcp and rlogin, and helps create "chroot jails", that help limit the vulnerability of common Internet services like Web services and DNS. This tool currently hardens Red Hat Enterprise Linux, Legacy, and Fedora Core, as well as Debian, SUSE, Gentoo, Mandriva, Ubuntu, Mac OS X, and HP-UX. If run in the preferred Interactive mode, it can teach you a good deal about Security while personalizing your system security state. If run in the quicker Automated mode, it can quickly tighten your machine, but not nearly as effectively (since user/sysadmin education is an important step!) Bastille can also assess the state of a system, which may serve as an aid to security administrators, auditors and system administrators, who wish to investigate the state of their system´s hardening without making changes to such. To run: -bastille [(-b|-c|-r|-x|--assess|--assessnobrowser)] -b : use a saved config file to apply changes directly to system -c : use the Curses (non-X11) GUI -r : revert Bastille changes to original file versions (pre-Bastille) -x : use the Perl/Tk (X11) GUI --assess : use the assessment functionality, viewing results in a browser --assessnobrowser: use the assessment functionality without a browser."

From this excurs

OKForbidden good?

Firefox (64 Bit) 74.0 Final
Free download now from CHIP: the brand actual final version of Firefox 74.0.
CHIP test result: Very good

Firefox-ESR-52.9.0-Extensions: quit complete filtering of tracking-scripts by ABP, RequestPolicy, noscript and our ff-ESR-security-settings through user.js (from Kai and other authors resp. see further below)

OK (from 04.28.2020), requires (for el6): mozilla-nss (OpenSuSE Thumbleweed, libfreebl3 (OpenSuSE Thumbleweed), libsoftokn3 (OpenSuSE Thumbleweed)
OKRespective the top-actual version of FirefoxESR-52.9.0 out of the directory: (from 02.15.2019)
OKseamonkey (el6, this version 2.49 includes the actual patched firefox-52.9)
FirefoxESR-52.8.1 (el6,

Attention! The installation-order of some of the following Firefox-extensions is a not unimportant point: ABP (by the (*-wildcard-based) security-filter-rule "forbidden is, what is not (explicit) allowed", details in future from further below) and/or uBlock resp. ABL for Pale Moon) right before RequestPolicy before Noscript (or uMatrix) before PrivacyBadger before CanvasBlocker!

Notice: ( The last Firefox-extension we installed, "goalkeeper") Privacy Badger from the switzer civil rights organization EFF as the in our order last installed extension does not, as we hope - except facebook-widgets - block many tracking-scripts, even if single marked scripts turned from green (allow) to red (block): Listed previous installed script-blockers did already do their best. [...] Although we like Disconnect, Adblock Plus, Ghostery and similar products, none of them are exactly what we were looking for. In our testing, all of them required some custom configuration to block non-consensual trackers. Several of these extensions have business models that we weren´t entirely comfortable with. And EFF hopes that by developing rigorous algorithmic and policy methods for detecting and preventing non-consensual tracking, we´ll produce a codebase that could in fact be adopted by those other extensions, or by mainstream browsers, to give users maximal control over who does and doesn´t get to know what they do online. How does Privacy Badger work?
When you view a webpage, that page will often be made up of content from many different sources. (For example, a news webpage might load the actual article from the news company, ads from an ad company, and the comments section from a different company that´s been contracted out to provide that service.) Privacy Badger keeps track of all of this. If as you browse the web, the same source seems to be tracking your browser across different websites, then Privacy Badger springs into action, telling your browser not to load any more content from that source. And when your browser stops loading content from a source, that source can no longer track you.
At a more technical level, Privacy Badger keeps note of the "third party" domains that embed images, scripts and advertising in the pages you visit. Privacy Badger looks for tracking techniques like uniquely identifying cookies, local storage "supercookies," first to third party cookie sharing via image pixels, and canvas fingerprinting. If it observes a single third-party host tracking you on three separate sites, Privacy Badger will automatically disallow content from that third-party tracker.
In some cases a third-party domain provides some important aspect of a page´s functionality, such as embedded maps, images, or stylesheets. In those cases Privacy Badger will allow connections to the third party but will screen out its tracking cookies and referrers (these hosts have their sliders set to the middle, "cookie block" position).

Electronic Frontier Foundation ( ff-extension Privacy Badger and other ones.) against mass surveillance and eavedropping trough NSA & Co.
USA: Erneut Klage gegen Massenüberwachung durch NSA abgewiesen
,, 11.05.2019
Seit Jahren kämpft die Electronic Frontier Foundation vor Gerichten gegen die Massenüberwachung durch den US-Geheimdienst NSA. Nun hat ein Bundesrichter eine Klage aus dem Jahr 2008 abgewiesen: Um die nationale Sicherheit zu schützen, müsse ein mögliches Überwachungsprogramm geheim bleiben.

OKThe failure: As it can be seen from the key-lock left beneath the addressline, the encryption with the new TLS 1.3 is not possible on our system (el6) for mentioned firefox (52.9), either just weak or even unencrypted!
What did happen to this firefox on OpenSuSE under all the patches? Actually we can only recommend the browser Pale Moon with quit the same extensions: secret agent and/or eclipsed moon, ABL (for AdblockPlus, ABP), noscript, RequestPolicyBlockContinued, Block Content Download, n-Matrix, CanvasBlocker, JavaScript-Toggle-Buttom, script-blocker, about:config-explainer, HTTPS enforcer, Decentral Eyes and further on, at last again the "goalkeeper" Privacy Badger made by the non-profit Electronic Fourier Foundation (EFF).

OKPale Moon extension: n-Matrix
Add following rules from temporary to permanent into the dashboard of n-Matrix:

OKPalemoon extension nMatrix
To go sure, add the follwoing rules from temporary to permanent within the Dashboard of n-Matrix:
https-strict: * true
https-strict: behind-the-scene false
matrix-off: about-scheme true
matrix-off: chrome-extension-scheme true
matrix-off: chrome-scheme true
matrix-off: moz-extension-scheme true
matrix-off: opera-scheme true
matrix-off: wyciwyg-scheme true
no-workers: * true
referrer-spoof: * true
referrer-spoof: behind-the-scene false
* * * block
* * css block
* * frame block
* * image block
* * script block
* * xhr block
* * media block
* * other block
* 1st-party css allow
* 1st-party image allow script block

Alone the image block from above prevents from webbugs.
Notice, that all values can be set directly within the matrix by simple mouseclicks, even upon the describing border of the matrix!

OKPale Moon extension: Block Content Downloader
Initialization Palemoon extension "Block Content Download" each newstart of Pale Moon: through typing in about::config into the address-bar or editing /home/user/.mozilla/userprofile/user.js to set all or quit all entries named permissions.*.* up or down to 3, where 3 at least stands for "Forbid third-parties" refering to images, objects, scripts, documents and so on !

OKPale Moon extension: signTextJS
About this add-on
window.crypto.signText is a digital signature technology that has been available to Firefox users for 20 years. It is used by government and banking sites. It can be used to participate in plebiscites.
The window.crypto interfaces were removed from Firefox 35 and later releases. An add-on was developed as a stop-gap measure for users; that add-on is deprecated and does not work since Firefox 57, but still work with Pale Moon.
This fork based on the original signTextJS-0.7.7 add-on by mozkeeler.

OKPale Moon extension: Modify HTTP Response
By: Off JustOff
About this add-on
Modify HTTP Response is designed to rewrite http response body using search & replace patterns.
This tool works on low level API and intended for advanced users.
Incorrect filters can cause browser freeze, hang or loose data.
Never use filters from untrusted sources or if you don´t understand them.

OKClassic Add-ons Archive [External]
Catalog of classic Firefox add-ons created before WebExtensions apocalypse.

OKuMatrix (uM, or seamonkey-noscript (5.1.9 for ff52-ESR from February 2020, includes the xpi-install-file) or
mozilla-noscript (,, 5.1.7-1, fc, el7, el6, or or,, vom 16.11.2018 (patched 171 times, therefore the recommended version)
OKmozilla-adblockplus (-2.9.1-27 fc, el7, el6 or,,
OKmozilla-requestpolicy (-1.0-0.22.20171019git633302 fc27 from 02.08.2020 / 08.02.2020, el6, or, you still have to copy it from /usr/share/mozilla/extensions/ to /home/surfuser/.mozilla/extensions/),,
mozilla-https-everywhere (fc, el6 or,,
firefox-ublock_origin (alt1,,
OKCanvasBlocker (, against Canvas Fingerprinting)
OKCookieController (, part of Jondofox)
Private Tab (
OKRefControl (, Referer Control)
OKUserAgentSwitcher (
OKLink Redirect Fixer (
Link_Cleaner (
OKsecretagent (anonymizing useragents; extension from
OKCSS Exfil Protection by Mike Gualtieri ( xpi from, )
TrackMeNot (xpi), Firefox extension to protect web habits from tracking and profiling, protect against data profiling by search engines, "TrackMeNot is a lightweight browser extension that helps protect web searchers from surveillance and data-profiling by search engines. It does so not by means of concealment or encryption (i.e. covering one´s tracks), but instead by the opposite strategy: noise and obfuscation. With TrackMeNot actual web searches, lost in a cloud of false leads, are essentially hidden in plain view. User-installed TrackMeNot works with Firefox and Chrome browsers, integrates with all popular search engines and requires no 3rd-party servers or services. TrackMeNot runs as a low-priority background process, that periodically issues randomized search-queries to popular search engines, e.g., AOL, Yahoo!, Google, and Bing. It hides users´ actual search trails in a cloud of ´ghost´ queries, significantly increasing the difficulty of aggregating such data into accurate or identifying user profiles. TrackMeNot serves as a means of amplifying users´ discontent with advertising networks, that not only disregard privacy, but also facilitate the bulk surveillance agendas of corporate and government agencies, as documented recently in disclosures by Edward Snowden and others. To better simulate user behavior TrackMeNot uses a dynamic query mechanism to ´evolve´ each client (uniquely) over time, parsing the results of its searches for ´logical´ future query terms with which to replace those already used.
Public awareness of the vulnerability of searches to systematic surveillance and logging by search engine companies was initially raised in the wake of a case, initiated August 2005, in which the United States Department of Justice (DOJ) issued a subpoena to Google for one week´s worth of search query records (absent identifying information) and a random list of one million URLs from its Web index. This was cited as part of its defense of the constitutionality of the Child Online Protection Act (COPA). When Google refused, the DOJ filed a motion in a Federal District Court to force compliance. Google argued that the request imposed a burden, would compromise trade secrets, undermine customers´ trust in Google, and have a chilling effect on search activities. In March 2006, the Court granted a reduced version of the first motion, ordering Google to provide a random listing of 50,000 URLs, but denied the second motion, namely, the request for search queries.
While viewed from the perspective of user privacy this seems a good outcome, yet it does bring to light several disquieting points. First, from court documents we learn that AOL, Yahoo!, and Microsoft have complied with the government´s request, though details are not given. Second, we must face the reality that logs of our online searches are in the hands of search companies and can be quite easily linked to our identities. Thirdly, it is clear we have little idea of, or say in, what can be done with these logs. While, in this instance, Google withheld such records from the Government, it would be foolish to count on this outcome in the future. Public awareness of the vulnerability of searches to systematic surveillance and logging by search engine companies, was initially raised in the wake of a case, initiated August 2005, in which the United States Department of Justice (DOJ) issued a subpoena to Google for one week´s worth of search query records (absent identifying information) and a random list of one million URLs from its Web index. This was cited as part of its defense of the constitutionality of the Child Online Protection Act (COPA). When Google refused, the DOJ filed a motion in a Federal District Court to force compliance. Google argued that the request imposed a burden, would compromise trade secrets, undermine customers´ trust in Google, and have a chilling effect on search activities. In March 2006, the Court granted a reduced version of the first motion, ordering Google to provide a random listing of 50,000 URLs, but denied the second motion, namely, the request for search queries.
While viewed from the perspective of user privacy this seems a good outcome, yet it does bring to light several disquieting points. First, from court documents we learn that AOL, Yahoo!, and Microsoft have complied with the government´s request, though details are not given. Second, we must face the reality that logs of our online searches are in the hands of search companies and can be quite easily linked to our identities. Thirdly, it is clear we have little idea of, or say in, what can be done with these logs. While, in this instance, Google withheld such records from the Government, it would be foolish to count on this outcome in the future.
TrackMeNot is user-installed and user-managed, residing wholly on users´ system and functions without the need for 3rd-party servers or services. Placing users in full control is an essential feature of TrackMeNot, whose purpose is to protect against the unilateral policies set by search companies in their handling of our personal information. We have developed TrackMeNot as an immediate solution, implemented and controlled by users themselves. It fits within the class of strategies, described by Gary T. Marx, whereby individuals resist surveillance by taking advantage of blind spots inherent in large-scale systems1. TrackMeNot may not radically alter the privacy landscape but helps to place a particularly sensitive arena of contemporary life back in the hands of individuals, where it belongs in any free society.

Special thanks to the NYU Dept of Computer Science, the Media Research Lab, the Mozilla Foundation, Missing Pixel, the Portia Project, Babelzilla, Ernest Davis, Michael Zimmer, John Fanning, and Robb Bifano."

Details and installation from,

OKFirefox Addons
Firefox Multi-Account Containers Version 8.0.6
, CHIP, 21.02.2022
Trennung von Privatem und Geschäftlichem
Mehr Privatsphäre beim Surfen
Umfangreiche Anpassungsmöglichkeiten
Mit dem kostenlosen Firefox Add-on "Multi-Account Containers" trennen Sie beim Surfen verschiedene Bereiche wie Online-Banking, Arbeit oder privates Surfen technisch voneinander, indem Sie Container festlegen und Webseiten passend einordnen.
In einem Tab checkt man die geschäftlichen E-Mails, in einem anderen ist der private Facebook-Account offen und im Dritten erledigt man Online-Banking: "Multi-Account Containers für Firefox" will diese verschiedenen Arbeitsbereiche innerhalb eines Browserfensters trennen und dadurch Ihre Privatsphäre stärker schützen.
Multi-Account Containers für Firefox: Ein Browserfenster, mehrere Accounts
[...] So können Sie beispielsweise Ihren Social-Media-Account geöffnet lassen, ohne das Facebook und Co. alles über Ihr restliches Surfverhalten mitbekommen.

Privacy Badger - "Privacy Bader - How does Privacy Badger work?
When you view a webpage, that page will often be made up of content from many different sources. (For example, a news webpage might load the actual article from the news company, ads from an ad company, and the comments section from a different company that´s been contracted out to provide that service.) Privacy Badger keeps track of all of this. If as you browse the web, the same source seems to be tracking your browser across different websites, then Privacy Badger springs into action, telling your browser not to load any more content from that source. And when your browser stops loading content from a source, that source can no longer track you. Voila!
At a more technical level, Privacy Badger keeps note of the "third party" domains that embed images, scripts and advertising in the pages you visit. Privacy Badger looks for tracking techniques like uniquely identifying cookies, local storage "supercookies," first to third party cookie sharing via image pixels, and canvas fingerprinting. If it observes a single third-party host tracking you on three separate sites, Privacy Badger will automatically disallow content from that third-party tracker.
In some cases a third-party domain provides some important aspect of a page´s functionality, such as embedded maps, images, or stylesheets. In those cases Privacy Badger will allow connections to the third party but will screen out its tracking cookies and referrers (these hosts have their sliders set to the middle, "cookie block" position).
Does Privacy Badger account for a cookie that was used to track me even if I deleted it? Yes. Privacy Badger keeps track of cookies that could be used to track you and where they came from, even if you frequently clear your browser´s cookies. Does Privacy Badger still work when blocking third-party cookies in the browser?
When you tell your browser to deny third-party cookies, Privacy Badger still gets to learn from third parties trying to set cookies via HTTP headers (as well as from other tracking techniques such as pixel cookie sharing and canvas fingerprinting). Privacy Badger no longer gets to learn from cookies or HTML5 local storage being set via JavaScript, however. So, Privacy Badger still works, it´ll just learn to block fewer trackers. Clearing history or already-set cookies shouldn´t have any effect on Privacy Badger.
How does Privacy Badger handle social media widgets?
Social media widgets (such as the Facebook Like button, Twitter Tweet button, or Google +1 button) often track your reading habits. Even if you don´t click them, the social media companies often see exactly which pages you´re seeing the widget on. Privacy Badger includes a feature imported from the ShareMeNot project which is able to replace the widgets with a stand-in version, so that you can still see and click them. You will not be tracked by these replacements unless you explicitly choose to click them. Privacy Badger currently knows how to replace the following widgets if they are observed tracking you: AddThis, Facebook, Google, LinkedIn, Pinterest, Stumbleupon, and Twitter. (The source code for these replacements is here; pull requests are welcome.)
Note, that Privacy Badger will not replace social media widgets unless it has blocked the associated tracker. If you´re seeing real social media widgets, it generally means that Privacy Badger hasn´t detected tracking from that variant of the widget, or that the site you´re looking at has implemented its own version of the widget. To avoid confusion, the replacement widgets are marked with the Privacy Badger badge next to the button. To interact with a replacement widget, simply click on it. Depending on the widget, Privacy Badger will either send you directly to the appropriate sharing page (for example, to post a tweet) or it will enable and load the real social widget (for example, the Facebook Like button, with personalized information about how many of your friends have "liked" the page). In the second case, you will still need to interact with the real widget to "like" or share the page."

OKUpdate MozillaFirefox-52.9.0 (OpenSuSE: Februar 2019, gecko-engine / firefox-extensions ) with the at this time actual firefox-68.6.0 (el6, April 2020, quantum engine / webextensions):

As of February 2019

Enpack the following files out of rpm firefox-68.6.0 (el6, rpm, as of April 2020) into /usr/lib64/firefox/

gtk2 (directory)
fonts (directory) (out of rpm openssl-1.1.1a up to openssl-1.1.1e)

Enpack the following files out of seamonkey (el6, rpm, as of: September 2019) into /usr/lib64/firefox/

Enpack the following files out of seamonkey (el6, rpm, as of: September 2019) into /usr/lib64/firefox/chrome/icons/default


Enpack the following files out of seamonkey (el6, rpm, Stand: September 2019) into /usr/lib64/firefox/browser/


Eventuelly remove IDs etc.
Edit /usr/lib64/firefox/application.ini and /usr/lib64/firefox/platform.ini and set the values as you like.

Firefox part within "about:config" gets autoconfigured each start of firefox. The configuration file named user.js making it possible can be found in the profil in /home/surfuser/.mozilla/firefox/profilename/.
Details of user.js are listed furhter below.

Still not updated: (gecko, as of: February 2019). If this disturbs you, install seamonkey (el6) or

patch the firefox-source-code with patches from (diff) (diff)

OKFirefoxESR-52-patches 2019- up to now:
2019-11-30 Updated package firefox-esr52 52.9.0-5 Muflone
2019-06-22 Updated package firefox-esr52 52.9.0-4 Muflone
2019-06-13 Updated package firefox-esr52 52.9.0-3 Muflone
2018-08-11 Updated package firefox-esr52 52.9.0-2 Muflone

Update Mozilla Firefox Javascript
mozjs (el6)

Alternatively Firefox-ESR >= 60 (el6), ff-60-ESR (el6), ff-68-ESR (el6), ... with engine Quantum and Webextensions does not enable most important extensions like RequestPolicy(BlockContinued).

OKAnonymizing user-agents for extensions like secretagent:

"Mozilla/5.0 (compatible; Googlebot/2.1; +"
"Mozilla/5.0 (compatible; bingbot/2.0; +"
"Mozilla/5.0 (compatible; Yahoo! Slurp;"
"Mozilla/5.0 (compatible; Gooken; +"

Warning: This Firefox is without extensions like Request(Block)PolicyContinued !

OK[SOLVED by Gooken, 15.03.2020] Firefox doesn´t show the actual extension version number for the extension installed by rpm within the item "Addons" from menu, so that Firefox is still working with the old, previous version installed before?
This might happen for mozilla-adblockplus for example, as the xpi-file is missing within the package!
Copy all of this extenisons out of /usr/share/mozilla/extensions into /home/surfuser/.mozilla/extensions ("cp -axf"), set the owner- and acess-rights upon it and delete the belonging xpi-file (of the previous version) out of the subdirectory of the profile. Now the correct version number is shown in Addons, with wich Firefox will work in future.

OKDoes the Browser restrict websites (formulars and so on) although extension like ABP, noscript and RequestPolicyBlockContinuned and so on got reconfigured?
If a reconfiguration of the extensions does not help at all, deactivate them in addons->extensions - extension by extension or, if nothing helps: all at once!
Now Firefox-52.9.0-ESR should really enable quit all functionality for websites.
After meant websites are left, do not forget to activate the extensions again!

OK[ SOLVED : Websites with too much restrictions possible caused by extensions or security settings: No possible login etc. ]
If even the resetting of extensions does not help, create one more, new profile in about:profiles, set it temporary to the default profile and
restart firefox.

OKQuit all files of ESR-52.9.0 except, some libraries and the mask for settings omni.ja can be exchanged with those from newer Firefox like ESR-60.9.0 and ESR-68.

OKUpdate kmozillahelper (zombie process): kmozillahelper (rosa2014.1) or deinstall it by "rpm -e --nodeps kmozillahelper"

More about "security with firefox (Gecko)":
from this webside further below!

OKTails 4.2 improves automatic update
Look for your Linux, if possible too.

OKAppAmor - "o´zapft is?"
AppArmor - broaching the computer system or kernel-security-module?
, Gooken, 06.07.019
Profiles of AppArmor are: passwd, Browser, D-Bus, Netzwerk, Task-Manager (cron), dhclient, dhcp, DAPRA-portmap, tmpwatch, procmail, skype, wireshark, ftpd, mysqld, postfix, sendmail, squid, sshd, useradd, vsftpd, xinetd, fingerd, ntalkd, cupsd, xfs, ping, nvidia_modprobe, dovecot, apache2, dnsmasq, ntpd, identd, smbd, traceroute, winbindd, lessopen, klogd, avahi-daemon, ...
AppArmor works during the system boot by default for Linux like Debian Linux Tails. The boot time even more than doubles by this.
The module itself can be intergrated as a kernel security module as a kernel-boot-paramter. Pre-configured profiles can be envoked for example in /etc/rc.local.
The developer contracted with Microsoft years ago. Linus Tovalds recommends such securiy module, that can be integrated beneath Module SELinux developed by the NSA, discussed in another report we published in News&Links and japanese Tomoyo Linux (rosa, mdv).
Like all other MAC (Mandatory Access Control for the control of process interaction), AppArmor isn´t necessary to bound in "secure=none" in our kernel-bootline.
Original program description from "AppArmor is a security framework that proactively protects the operating system and applications. This package provides the libapparmor library, which contains the change_hat(2) symbol, used for sub-process confinement by AppArmor, as well as functions to parse AppArmor log messages.
Base profiles. AppArmor is a file and network mandatory access control mechanism. AppArmor confines processes to the resources allowed by the systems administrator and can constrain the scope of potential security vulnerabilities. This package is part of a suite of tools that used to be named SubDomain."
"AppArmor is security Linux kernel module similar to the SELinux but it´s supposed to be easier to setup and maintain. There are many reasons for you to disable it, primary one is that its security features can get in the way of legitimate applications operation",
Also see our report: serious hard News-Group-discussion about NSA´s SELinux.
Later on, the programming expert of AppArmor became a paid expert of Microsoft. We made the expirience, our computer system runs quit different fast, depending on night and daytime and the kind of information we handled. But without all the kernel-security-modules, AppArmor and so on, it always runs as fast as the mouseclick allows: mouseclick-fast.

AppArmor is a security module for Linux. It is a Mandatory Access Control (MAC) System controlling each application and program through profiles with access rights refining the common ones. Beneath the default profiles any profiles can be created. For each profile one of three modes has to be set.

Howto use Windows within Linux through Virtualbox,, 08.05.2019
Per virtualization it is possible to use software and apps for Windows for Linux too. We show, howto.
Virtualbox (el6, all Linux): VirtualBox-6.0-6.0.6_130049_el6-1.x86_64.rpm from 16-Apr-2019 118M ( or ) and UserManual.pdf from
Alternatively: qemu (el6, all Linux), virt-manager (el6) and libvirt (el6), wine64 (el6, all Linux, 64-Bit-MS-Windows-Emulator) and wine (el6, all Linux, 32-Bit-MS-Windows-Emulator)

Wonderful Unix, wonderful OpenSource ("tick-tick-tick-..."), we are right (addition from 07.09.2013): Tagesschau reports about weak-points in many security software. The industry for software would have been built-in backdoors in their programs. It were possible to get information right before a user encrypts them and to send them over the internet. Super-computer were constructed to crack encrypted codes. NSA-program "Bullrun" belonged to the most kept secrets. The british agency GCHQ were very successfull in cracking code. Such analyses would have belonged to Google, Yahoo, Facebook und Microsoft. From banking software up to election computer, if databases, data protection or data security: Only OpenSource-Software can be trusted!

Since 1981/82: Black monitors, tons of updates (terrabytes), Cyberwar, Suneater, missing driver, driver- and hardware failouts, glibc-patch, openssl-patch, system breakdowns ( a.o. python), defect kernel and glibc, Dirty Cow, Sambacry, Meltdown and Spectre, security access points in browser, hacker, trojans, viruses, unsolved packet-dependencies and so on and on
It must be the kind of (artificial-) bomb in each computer, because in any operating system and a lot of software and updates over updates, but through Gooken´s "Universal Linux 2010" it manges the first time past over 25 years to disarm it.

OKNew computer: Four things you should do right up from the beginning,, 02.03.2020
It does not matter, how young or old you are: It is a beautiful feeling to start a new computer. Care yourself for the security right up from the beginning.

2009/2010: Year of the hardware, year of the software (CentOS el6, Mandriva2010) - ALL talk around the computer got passed! (!!!)
... almost surface-covering and security technically: just completion and updating (see the update-listing from our webside "Universal Linux 2010"! CentOS- and SL-updates (el6) are provided in the internet from year 2010 up to year 2026 and (mit el7) longer. Belonging power saving, mouseclick-fast and Linux-compatible lifetime-hardware (*) quit for free is listed in our -> data sheed device by devcie: all-in-one-mainboard, net adapter, all poor radiationed and supersilent, ultraslim-WLED-TFT, SSD, rom-drives (DVD-burner), multifunction-printer (printing- scanning - faxing and copying), mouse/keyboard, computer tower, ...
This all although the computer standed (and stands) for "nothings more "kaputter" (out of order)"... (following the excurs and see News&Links)! Lifetime-hardware (*): We are going to report about errorcs and defects of the mainboard under data sheed in future. There are none up to now.

OKAvoid these 14 mistakes and errors during building up your PC ( hardware ) by yourself !,, 04.07.2020
If you build up a PC for the first time by yourself, take notice of 14 important things. Otherwiese you might have a big bad suprise!

OKMoving into a bad, bad world...
From Saturn-Service-Center: PC-build-up - Bios-Setup - partitonswise or complete mirroring (best done by the UNIX-/Linux-command dd) OR: partitionize - formatting (Linux-filesystem, almost ext4) - encryption (of most partitions) - installation - configuration - defragmentation (not required for Linux) - making updates:

Put your installation-DVD into the CD/DVD-drive to install the operating system, together with other belonging software. We assume the rpm-(packet-manager-) based Enterprise Linux (RHEL, Fedora, CentOS or Scientific Linux) or a Mandriva-Derivat (PC Linux OS, Rosa, Mageia, Mandriva), but refer to Debian Linux and so on and (indirectly) MS Windows too!
Follow the installation-steps from DVD (resp. other media like USB)!
Do all other steps by handbooks and guidelines from manufacturer, then follow this excurs!
For the partioning, under Linux at all formlized in the device-file fstab (/etc/fstab), we recommend already at this place at least 80 GB for the Root- and 20 GB for the home-partition, around 1 GB for the Boot-partition and the threefold of the RAM-size for the SWAP-partition (memory-swapping file).
Good to know, that encryption is possible already at this place for partitioning resp. right up after the formatting. We also refer to this namely later on in detail !

Installation und update sources Enterprise Linux CentOS resp. Scientific Linux (el6, el7):

Nearby Countries



Such listed "lifetime-hardware" from our data sheed ( like the low powered mainboard ASUS ITX-220, SSD, DVD-ROM-Burner and introduced AOC-TFT) does - within common outdoor temperature tolerances - not show any symptoms andtherefore - past "endless" powering on and offs and resets (new starts) of the computer system, even not those ones like the following:

Debian turns packet format from DEB to RPM
, PRO-LINUX, 02.04.2019


Year 2010: All for the computer is done (only updating remains essential)!
Computing without any risks:
Power-saving, mouseclick-fast all-in-one lifetime-hardware (quit)
  • (quit) for free
  • breathtaking mouseclick-fast already upon listed hardware from see under "data sheed" (immediately appearing graphics per mouseclick, fast graphics (* some intensive memory programs like browser and dolphin depending on the kernel version and RAM still might need a few seconds)). This is also a good indication for a tuned, fine working system with freeness from hacker and trojans and so on.
  • "Universal Linux 2010": of at least 8 MB RAM: We tested "Universal Linux 2010" out of kernel-4.19 (pclos, highly recommended, but our choice: 5.4.110 (pclos1) past 4.20.13 (pclos1), alternatively: kernel-4.18 (el8), kernel-4.9 (el6), kernel-2.32 (el6)); tls1.3 requires kernel >= 4.13, see, if functioning, mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)), glibc (el8: 2.28, pclos: the actual 2.31, mga6: 2.22, fc, for printers with 32-bit driver only like Brother install glibc (2.22, el6) too and relink and delete adequately in /lib), qt4 (el6) and KDE 4 as a mix out of kde (mdv2010.2, November 2011), kde (el6, actual patched, year 2018) and kde (4.4.4, OpenSuSE, 2013), glibc like glibc (pclos: 2.31),
    kernel-firmware (around 250 MB, OpenSuSE, slack 14.2, el6,...), kernel-firmware-extra
    If glibc (mga6, 2.22, pclos) is kept, el8, pclos (at this time 2.31), el7, el6 and ROSA (see our section Update "Universal Linux 2010") provide quit good alternatives to such high versioned Fedora Core (fc >= 29).

    If a 32-bit-printer-driver is used, keep the previous glibc for i586, just install glibc (pclos: 2.31 x86_64, el6, x86_64)!

    In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.

    After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".
  • without any breakdowns (stable hard- and software)
  • shock-proofed ( SSD )
  • break-in-protection (chassis intrusion detection, baby phone etc.)
  • standardized, scientific Open Source (code from project groups and software practica of universities)
  • self-repairing
  • surface covering software (client, server, all rubriques including 3D- und 2D-games, ...) and all already installed on harddisc
  • free from licence fees
  • free from all maintenance
  • free from virusses, worms, hacker, trojans, malware, adware, spyware, Meltdown and Spectre, pharming, spam, phishing, bots, tracking-scripts, cryptominers, driver-problems, ...
  • without need of playing doctor (without essential harddisc-scans and self-checks)
  • free from any password-hacks and -cracks by locked system and user accounts upon /sbin/nologin for the login-shell, by using (access-protected) key-files from harddisc for the
  • LUKS-encrypted partitions (except the LUKS-encrypted root-partition), common read/write/executable/suid/sgid/sticky-access-rights and ACL together with owner rights upon processes directories and files ( especially /usr/bin/su and /bin/su )
  • through special kernel-, boot- and mount options, pamd-Login
  • Start of X (X11, X-Windows) through options -nolisten tcp and -xauth, special "xhost-"-locks for other user
  • Kernel-Securty-Modules (grub-boot-option security): MAC (what is not needed anymore to achieve promised total security, it´s just for lovers): Mandatory Access Control (restricatable process interaction): AppArmor, Tomoyo (graphical support), SELinux, ...
  • All root owned processes except X (and mgetty/mingetty, if installed) are started by kthreadd and belong to the kernel
  • Hardened kernel (not essentially needed, it origins from Kernel-Security-Module secumod): grsecurity-patches, paxctld
  • communication and surfing without any tracks in the world wide web and internet (prconfigured through prefs.js resp. user.js, through firejail sandbox-protected
  • Firefox-ESR (Extended Security Release bzw. Pale Moon) with special extensions in private mode), with
  • Tor (Tor-Browser) even anonymized within one more own sandbox without the origin IP (anonymized computer-identifying number out of the ipv4-address-namespace) and even
  • DNS-Traffic is kept anonymous by TorDNS as the remote-host-DNS, while the most frequent DNS-queries get resolved local within /etc/hosts and persistently pdnsd within the harddisc-cache (/var/lib/cache/pdnsd/pdnsd.cache).
  • With Firejail many browser are running firejail´s suid-sandbox, processed under user "surfuser" of the group "surfgroup" resp. "toruser" and "torgroup" by
  • https/SSL/TLS (TLS2.0, TLS3.0) not hackable end-to-end-encrypted net-connections
  • free from Man-In-The-Middle-Attacks etc. and therefore (through Firewall Linfw3) without ICMP-, UDP- and IGMP-traffic and other communications (communication protocols): iptraf for example always shows an empty second field below the field with the TCP-connections) and so on
  • quit upgrade and update-free past year 2026 ( nahezu )
  • all partitons including the root-partition and USB-memory-sticks, temporary directories and SWAP-filei are encrypted (FSE: Full System Encryption by LUKS, OpenPGP forr E-mail and single directories and files)
  • Because of common read/write/executalbe-access-rights and ACL, directories and files remain free from read, write and execution for all user (except root), especially for the surfuser except oneself as the active user:

paranoid security without too many restrictions for the user!

With this system, be welcomed live on the daily update-channel from year 2010 up to year 2026 and longer!

Described "Universal-Linux" also includes emulators for other operating systems (beneath boot manager grub for the multi-boot):
  • MS Windows 3.1, 95, 98, SE, ME, NT 4.0, NT 3.5, XP, 2003, Vista, Windows 2008, Windows 7, alles sowohl i686 (32 Bit) als auch x86_64 (64 Bit): Emulator wine (hauptsächlich), qemu oder xen), Virtualisierung: KVM (Kernel-Modul kvm-amd, kvm-intel mit libvirt, qemu-kvm, libvirt-client, libvirt-daemonsystem, bridge-utils, Virt-Manager, von Red Hat entwickelten und von Microsoft signierten Gerätetreiber ( Virt-IO-Driver )), Virtualbox, Vmware ( Einzelheiten zur Virtualisierung siehe z.B. )
  • MS DOS (dosemu)
  • Apple Macintosh (basiliskII), PowerMAC (SheepShaver)
  • Cisco 7200 and 3600 and Freescale Coldfire 5206 Emulator​ (dynamips)
  • Amiga (uae, fs-uae, e-uae, uade)
  • Atari ST, Atari 8 Bit Computer (hatari)
  • Commodore VC 64 (vice, micro64), Amstrad CPC (caprice32),
  • ZX Spectrum (fbzx), MSX (fmsx, openmsx), NeoGeo (gngeo), Dragon32, Dragon64 und Tandy CoCo (xroar), Minitel (xtel), Nintendo Gameboy (zboy), TI89(Ti)/92(+)/V200 emulator (tiemu3)​ 
  • Multi-System-Emulator (simh)
  • and many other computer operating systems.

Gooken internet search engine shows you on this website step by step (hook by hook), what has to be done for reaching this total IT-security for the computer! You can enjoy hardened Linux booting from DVD, alternatively from USB-Stick:
"Tails Linux: The Anti-NSA-PC, 04.23.2014
Can NSA crack everything, even hardest encryption? Only a UNIX/Linux based System can achieve security, means one of the authors below. Edward Snowden knows more about this than other ones. In order to make communication really secure, he decided to install the Linux-Distribution Tails. CHIP shows the Anti-NSA-PC for free [...]. Fast and simple: Tails runs as hardened Debian Linux",

Edward Snowden also recommends a in his eyes secure Linux/UNIX-derivate on News&Links#Computer and News&Links#Alternatives and secure apps. But if the well-known referencial Computer-system resp. "Universal-Linux" we are going to introduce should ever not be such secure as it ought to be, the setting of the ro-option standing for read-only for the root-partition in /etc/fstab resp. /boot/grub/menu.lst (grub1, analogous grub2) past all the installing and updating can create a shoot-steadfast Linux even on harddrives doing its best.

Darknet-Browser Tor is ready for Android: You can surf complete anonymously with your handy, CHIP, 27.05.2019
The Tor-Browser is rated as a symbol for anonymes surfing in the internet and the easiest way into the Darknet. Now a ready version of the browser was provided in the Google Play Store. We show you, howto surf with this browser by upon your Android smartphone over the Tor-network.

Year 2016: Incredible high rubbish-hills of packages for not actual Linux-distributions are still provided by contributors like and Most distribution versions can not be kept up-to-date, while the update-list from is increasing day by day. Linux, comment from newsgroup alt.linux.suse, year 2003:

"I am so happy, that my linux run stable for the last 12 hours!".

More today:

Red Hat Enterprise Linux 7.1 receives extended security certifications, Pro-Linux, 14.12.2017
Without modification, Red Hat Enterprise Linux got certified for the "General-Purpose Operating System Protection Profile" (OSPP) 3.9. Now Red Hat Enterprise Linux can be used and applied in security-critical environments.

Date: 30.03.2011, thanks, we got it: [espeak -v en "] Secure, OKmouseclick-fast upon MS Windows 7 and Linux and all belonging Linux-games: (bohemian) 19 W power consumpting computer ASUS (mini) ITX-220 from year 2009/2010 with a socked, crasfree bios, onboard Intel-soundchip, onboard Atheros-LAN-Chip and -ROM and onboard INTEL graphics, AOC WLED-TFT less 18 Watt with more than one million working hours, all for about 200 €. Looking upon technical revisions and software-rpm-packet-changelogs one notices, the world gave its best: 2010 - (quit) everything has been made for computers - magic year of fast, ergonomic, powersaving hardware, year of Mandriva 2010, year of CentOS 6 ( DVD CentOS 6 (actual tenth-revision, with many updates and patches by Jonny Hughes, NY) for 4,95 € or for free out of the internet ) and the for the more than 50.000 next ten years (until year 2026) fixed and patched packet-versions of Fedora Project resp. the in a careful way resulting and ( Fedora Core (fc) - ) backported Enterprise Linux (el) resp. CentOS 6, where its IT-security raised up quit to maxium by concept with methods, configurations and updates we want to present here on this webside, so that computer-technique got solved (after a long, long time ...): error-free (total: since python-stablity-patch from year 2016), free from trojans, hacker, viruses, spyware, adware, everything. Day after day the amount of still missing software declined and you still have to keep the computer up to date sometimes by installing some updates. Up to that year, the paid prices for different Linux distributions can exceed even those of other operating systems. But now you won´t have any difficulties. Text to the illustration from the top, Build your final


consisting of up to 100 DVD a 4,4 GB full of rpm- and deb-packages (Debian) and many Tarballs from anywhere ON THE DAILY UPDATE-PATCH-CHANNEL (fc, el6/sl6) and belonging more Packages from, and All kind of Linux-games run fine too.

Similar to Scientific Linux, "CentOS" stands for "Community Enterprise Operating System". It is based to 100% upon the source code of Red Hat Enterprise Linux. The only difference is, that commercial support is missing. Typical CentOS-user are organizations and private people aiming for a stable Enterprise-operating-system without the need of commercial support. The stable versions of CentOS are supported with (RPM-) acutualizations for ten years.
CentOS is a Linux-Distribution from Red Hat with the same source code like Red Hat Enterprise Linux. Since January 2014 CentOS belongs to Red Hat as a costly free alternative to Red Hat Enterprise Linux for all those, that do not need commercial support for Red Hat Enterprise Linux. Even no one guarantees, CentOS in fact is almost compatible with Red Hat Enterprise Linux.ötigt-noch-etwas-zeit.html

What we are going to describe in the following:

No hacker, no virusses, no trojans, no malware, no ad- and no spyware, no ransomware, no dangerous scripts, rare resp. no left traces in the net, ..., nothing of it, and no kernel up from 2.6.39 (if stable) and not much root owned processes, that can affect the computer system anymore: use
  • command dd for secure working with the partitionwise restores and backups started from an encrypted rescue partition, usb-memory-stick or DVD like Knoppix together with cryptsetup (LUKS) installed,
  • ipables-based firewall linfw3,
  • port scan detection (psad, psd),
  • intrusion detection sysems (IDS)
  • the local dns-cache dnsmasq
  • and adblocker like our listing importing konqueror-adblocker and free useragent-settings and other extensions for your browser together with
  • sandbox firejail (pclos),
  • configure /etc/fstab for the declaration of the partitions and file systems, in our case ext4 under security aspects,
  • configure /etc/passwd for the blocking shells,
  • set owner- and access-rights,
  • ACL (setfacl/getfacl),
  • use MAC (apparmor, tomoyo) and
  • chattr upon UNIX/Linux-filesystems and follow the
  • configurations and methods introduced here on this webside to make security really possible! Profit from
  • end-to-end-encrypting TLS/SSL used by browser like Konqueror, Firefox, Firefox ESR resp. Tor-Browser (Firefox ESR) and
  • pgp/gpg- and TLS-based e-mail-clients like Thunderbird and/or Kmail, claws-mail with claws-mail-plugins, ...
  • all this upon a Luks/dm-crypt and dracut full encrypted computer-system (FSE), going sure also with a read-only set (and by dracut LUKS-encrypted) root-partition.

HOWTO: Either you install the version of an actual (new) Linux-distribution after the expiration of the updates for your installed one, we recommend Debian Linux resp. Ubuntu, SuSE Linux, Fedora, the in a careful way from Fedora resulting and backported CentOS (resp. RedHat), Rosa and Openmandriva, PCWelt: Ubuntu and Mint, or you install the covering and approved (and many, many TOP-games on the base of OpenGL and SDL including) el6, mdv2010.0 resp. mdv2011, mga1 up to mga3 or any rpm-distribution of the last decades from and care for its updates. For mdv2010.0 you think of updating with the secure running autumn- and spring- updatening version mdv2010.1 and mdv2010.2 to mdv2010.2 (65 GB, around 15 DVD).

OKHow does this work? It´s easy (or it sound so): All you need for the next time in principle is "any" Linux-distribution from DVD/CD, USB-memory-stick or per download out of the internet etc., one that is named by PRO-Linux ( withiin the hugh update-listing of the last ten, twenty years. Install this distribution following the self activating installation instructions onto an installation media (we recommend an at least 120 GB Solid State Disk (SSD with an at least 65 GB sized main- resp. root-partition and at least 2 GB SWAP-partition)) and eventually more single programms resp. packages with the help of an as much expressive packagemanger as possible. We recommend Debian Linux or a ( Fedora Core - ) backported and long-update-support guaranteeing Linux-Distribution (like RedHat resp. CentOS and Scientific Linux el6 and el7). Regardless from the amount of software resp. packages, this Linux-Distribution can be considered as a gear to the big UNIX/Linux- and its emulation-world of even more, we recommend actual UNIX-/Linux-distributions, actual updates and all kind of software and games. Emulation means, that with the help of emulators (like Wine for MS Windows) and virtual machines like Xen and Qemu software running upon other operating systems can be used too. Notice, that it is possible to install all software on the installation media at once without risking too much. The important thing is, that it is possisble to upgrade the Standard-GNU-C-library (glibc) of this distribution, so that the kernel of the LONGTERM-series out of kernel-3 and -4 can be upgraded too..

A securing 1:1 partioned media should not miss! Perform all security methods introduced in future point by point as soon as possible, as the installation is endangered extremely (by hacker and so on) with the very first built-up connection to the net!

quot;There is not much diffrence between the Linux-Distributions / Der Unterschied zwischen den Linux-Distributionen ist nicht sehr groß mit Ausnahme der Basisinstallation und der Paketverwaltung. Die meisten Distributionen beinhalten zum Großteil die gleichen Anwendungen. Der Hauptunterschied besteht in den Versionen dieser Programme, die mit der stabilen Veröffentlichung der Distribution ausgeliefert werden. Zum Beispiel sind der Kernel, Bind, Apache, OpenSSH, Xorg, gcc, zlib, etc. in allen Linux-Distributionen vorhanden."

OKAvoid Legacy Communication Services

A large number of legacy Unix programs do not provide essential security during data transmission. These include FTP, Telnet, rlogin, and rsh. No matter whether you´re securing your Linux server or personal system, stop using these services for good.
You can use other alternatives for this type of data transfer tasks. For example, services like OpenSSH, SFTP, or FTPS makes sure that data transmission happens over a secure channel. Some of them employ SSL or TLS encryptions to harden your data communication. You may use the below commands to remove legacy services like NIS, telnet, and rsh from your system.
# yum erase xinetd ypserv tftp-server telnet-server rsh-server
# apt-get --purge remove xinetd nis yp-tools tftpd atftpd tftpd-hpa telnetd rsh-server rsh-redone-server
Use the first command for RPM-based distributions like RHEL and Centos or any system that uses the yum package manager. The second command works on Debian/Ubuntu-based systems.

OKEnable SELinux
SELinux or Security Enhanced Linux is a security mechanism that implements various methods for access control at the kernel level. SELinux is developed by Red Hat and has been added to many modern Linux distributions. You can think of it as a set of kernel modifications and user-space tools. You can check out whether SELinux is enabled in your system or not by using the below command.
# getenforce
If it returns enforcing that means your system is protected by SELinux. If the result says permissive that means your system has SELinux but it´s not enforced. It will return disabled for systems where SELinux is completely disabled. You can enforce SELinux by using the below command.
# setenforce 1

OKLock Login Attempts after Failure
Admins should make sure that users can´t log into their server after a certain number of failed attempts. This increases the overall security of the system by mitigating password attacks. You can use the Linux faillog command to see the failed login attempts.
# faillog
# faillog -m 3
# faillog -l 1800
The first command will display the failed login attempts for users from the /var/log/faillog database. The second command sets the maximum number of allowed failed login attempts to 3. The third one sets a lock of 1800 seconds or 30 minutes after the allowed number of failed login attempts.
# faillog -r -u <username>,
Use this command to unlock a user once they´re prohibited from login. The max number of failed login attempts for the root user should be high or else brute force attacks may leave you locked.

OKCheck for Empty Passwords
Users are the weakest link in a system´s overall security. Admins need to make sure that no user on the system has empty passphrases. This is a mandatory step for proper Linux hardening. Use the following awk command in Linux to verify this.
# awk -F: ´($2 == "") {print}´ /etc/shadow
It will display if there´re any user accounts that have an empty password in your server. To increase Linux server hardening, lock any user that uses empty passphrases. You can use the below command to do this from your Linux terminal.
# passwd -l <username>

OKValidate the UID of Non-Root Users
A UID or User-ID is a non-negative number assigned to the users of a system by the kernel. The UID 0 is the UID of the superuser or root. It is important to make sure that no user other than root has this UID value. Else, they can masquerade the whole system as root.
# awk -F: ´($3 == "0") {print}´ /etc/passwd
You can find out which users have this UID value by running this awk program. The output should contain only a single entry, which corresponds to root.

OKRemove the X Window Systems (x11)
The X Window Systems or x11 is the de-facto graphical interface for Linux systems. If you´re using Linux for powering your server instead of your personal system, you can delete this entirely. It will help to increase your server security by removing a lot of unnecessary packages.
# yum groupremove "X Window System"
This yum command will delete x11 from RHEL or Centos systems. If you´re using Debian/Ubuntu instead, use the following command.
# apt-get remove xserver-xorg-core

OKDisable the X Window Systems (x11)
If you don´t want to delete x11 permanently, you may disable this service instead. This way, your system will boot into text mode instead of the GUI. Edit the /etc/default/grub file using your favorite Linux text editor.
# nano /etc/default/grub
Find the below line -
Now, change it to -
Finally, update the GRUB file by using -
# update-grub
The last step is to tell systemd to not load the GUI system. You can do this by running the below commands.
# systemctl enable --force # systemctl set-default

OKInvestigate IP Addresses
If you find any suspicious IP in your network, you can investigate it using standard Linux commands. The below command uses netstat and awk to display a summary of running protocols.
# netstat -nat | awk ´{print $6}´ | sort | uniq -c | sort -n
Use the below command to find more information about a specific IP.
# netstat -nat |grep <IP_ADDR>, | awk ´{print $6}´ | sort | uniq -c | sort -n
To see all unique IP addresses, use the following command.
# netstat -nat | awk ´{ print $5}´ | cut -d: -f1 | sed -e ´/^$/d´ | uniq
Feed the above command to wc for getting the number total of unique IP addresses.
# netstat -nat | awk ´{ print $5}´ | cut -d: -f1 | sed -e ´/^$/d´ | uniq | wc -l
Visit our guide on various Linux network commands if you want to dive deeper into network security.

OKDisable SUID and SGID Permission
SUID and SGID are special types of file permission in the Linux file system. Having the SUID permission allows users other to run executable files like they are the owner of those files. Likewise, the SGID permission gives directory rights similar to the owner but also gives ownership of all child files in a directory.
These are bad since you don´t want any users other than you to have those permissions on a secure server. You should find any file that has SUID and SGID enabled and disable those. The following commands will respectively list all files that have SUID and SGID permission enabled.
# find / -perm /4000
# find / -perm /2000
Investigate these files upon /etc/permissions* (permissions, OpenSuSE) properly and see if these permissions are mandatory or not. If not, remove SUID/SGID privileges. The below commands will remove SUID/SGID respectively.

OKEnable Disk Quotas
Disk Quotas are simply limits set by the system administrator which restrict usage of the Linux filesystem for other users. If you are hardening your Linux security, implementing disk quotas is mandatory for your server.
# nano /etc/fstab
LABEL=/home /home ext2 defaults,usrquota,grpquota 1 2
Add the above line to /etc/fstab for enabling disk quota for the /home filesystem. If you have already a line /home, modify that accordingly.
# quotacheck -avug
This command will display all quota information and create the files aquota.user and in /home.
# edquota <user>,
This command will open the quota settings of <user>, in an editor where you can assign the quota limits. You can set both soft and hard limits for the disk quota size as well as the number of inodes. Use the below command to view a report on the disk quota usage.
# repquota /home

OKMaintain Word-Writable Files
Word-writable files are fils that anyone can write to. This can be very dangerous since it effectively allows users to run executables. Plus, your Linux hardening is not foolproof unless you´ve set the appropriate sticky bits. A sticky bit is a single bit that, when set, prevents users from deleting someone else´s directories.
Thus, if you´ve got world-writable files that have sticky bits set, anyone can delete these files, even if they´re not owned by them. This is another serious issue and will often cause havoc on server security. Luckily, you can find all such files by using the below command.
# find /path/to/dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
Replace the path argument with directories that may contain such files. You can also start from the root ‘/´ of your filesystem but it´ll take a long time to execute. Once listed, investigate the files thoroughly and change their permissions as required.

OKMaintain Noowner Files
Noowner files are files that do not have any owner or group associated with them. These can pose a number of unwanted security threats. So, admins should take the necessary measures required to identify these. They can either assign them to the appropriate users or may delete them entirely.
You can use the following find command to list the noowner files present in a directory. Check out this guide to learn more about the find command in Linux.
# find /path/to/dir -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
Inspect the results thoroughly to make sure there aren´t any unwanted noowner files in your server.

OKInstall Logwatch / Logcheck
Log analyzer

OKSecure Web Server
Linux servers are widely used for powering web applications. If you´re using your server for this purpose, you need to harden your server components appropriately. Some of these the PHP runtime, Apache HTTP server, and the Nginx reverse proxy server. Secure your Apache server by adding the below lines in the configuration file.
# nano /etc/httpd/conf/httpd.conf
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header always unset X-Powered-By
# systemctl restart httpd.service
We´ve prepared a standalone guide on the Nginx server a while ago. Follow the suggestions in that guide to secure your Nginx server. Head over to this documentation for learning the best PHP security practices.

OKConfigure TCP Wrappers
TCP wrappers are a host-based network filtering system that allows or denies access to your host services based on pre-set policies. However, for it to work, your host service must be compiled against the libwrap.a library. Some common TCP wrapperd Unix daemons include sshd, vsftpd, and xinetd.
# ldd /sbin/sshd | grep libwrap
This command will notify if a service is supported by TCP wrappers or not. The TCP wrappers system enforces access control using two configuration files, the /etc/hosts.allow and /etc/hosts.deny. For example, add the following lines to /etc/hosts.allow for allowing all incoming requests to the ssh daemon.
# nano /etc/hosts.allow
sshd : ALL
Add the following to /etc/hosts.deny for rejecting all incoming requests to the FTP daemon. # nano /etc/hosts.deny
vsftpd : ALL
To see more information about the configuration options, consult the tcpd man page, or visit this documentation from FreeBSD.

OKMaintain Cron Access
Linux provides robust automation support by means of cron jobs. In short, you can specify routine tasks using the cron scheduler. Visit our earlier guide on cron and crontab to learn how cron works. Nevertheless, admins must make sure that ordinary users are unable to access or put entries in the crontab. Simply put their usernames in the /etc/cron.deny file to do this.
# echo ALL >,>,/etc/cron.deny
This command will disable cron for all users in your server except root. To allow access for a specific user, add his username.

OKDisable Ctrl+Alt+Delete
The Ctrl+Alt+Delete key combinations allow users to force reboot many Linux distributions. This can be particularly problematic if you´re managing a secure server. Admins should disable this hotkey in order to maintain proper Linux hardening. You can run the following command to disable this in systemd-based systems.
# systemctl mask
If you´re on legacy systems that use init V instead of systemd, edit the /etc/inittab file and comment out the following line by appending a hash before it.
# nano /etc/inittab

OKRestrict Core Dumps
Core dumps are memory snapshots (core-files) that contain crash information of executables. These are created when binaries stop working or crash in simple terms. They contain too much sensitive information about the host system and may threaten your Linux security if fallen into the wrong hands. Thus, it is always a good idea to restrict core dumps on production servers.
# echo ´hard core 0´ >,>, /etc/security/limits.conf
# echo ´fs.suid_dumpable = 0´ >,>, /etc/sysctl.conf
# sysctl -p
# echo ´ulimit -S -c 0 >, /dev/null 2>,&1´ >,>, /etc/profile
Run the above commands to restrict cor dumps on your server and increase Linux hardening.

OKRight up from the very beginning - installing an OS like UNIX/Linux

... most already through installation media:

format -" partitioning -> format -> encryption (full system encryption, FSE) -> format -> installation (from extern media) -> configuration -> defragmentation (not essential for many UNIX/Linux file systems) -> encryption (full system encryption, FSE) -> (backup with dd and) actualization -> configuration -> (backup with dd and) actualization ( ... notice total time needed: ? )

Alternatively: Some nice "guy" or so does many things for you by mirroring almost completed system from his onto your own media (SSD (sdx), harddisc (S-ATA: sdx, IDE: hdx, CD-/DVD, USB-memory stick, ...). This can save plenty of time (look out for the right processor architecture (x86_64, i686, ...) and set /etc/X11/xorg.conf for the next time to vesa or fb)! Do this mirroring with a command like: "dd if=/dev/sda of=/dev/sdb"
Use sdd instead of dd to see a progress bar.

Used editor in the following: nano

First this webside introduces some configurations, followed by actualization, partitioning, encryption during the introduction of basic shell-commands.

OKMounting partitions the right way
When mounting an Ext file system (ext2, ext3 or ext4), there are several additional options you can apply to the mount call or to /etc/fstab. For instance, this is my fstab entry for the /tmp partition:

/dev/hda7 /tmp ext2 defaults,nosuid,noexec,nodev 0 2

You see the difference in the options sections. The option nosuid ignores the setuid and setgid bits completely, while noexec forbids execution of any program on that mount point, and nodev ignores device files. This sounds great, but it:

only applies to ext2 or ext3 file systems

can be circumvented easily

The noexec option prevents binaries from being executed directly, but was easily circumvented in earlier versions of the kernel:

alex@joker:/tmp# mount | grep tmp
/dev/hda7 on /tmp type ext2 (rw,noexec,nosuid,nodev)
alex@joker:/tmp# ./date
bash: ./date: Permission denied
alex@joker:/tmp# /lib/ ./date
Sun Dec 3 17:49:23 CET 2000

Newer versions of the kernel do however handle the noexec flag properly:

angrist:/tmp# mount | grep /tmp
/dev/hda3 on /tmp type ext3 (rw,noexec,nosuid,nodev)
angrist:/tmp# ./date
bash: ./tmp: Permission denied
angrist:/tmp# /lib/ ./date
./date: error while loading shared libraries: ./date: failed to map segment
from shared object: Operation not permitted

However, many script kiddies have exploits which try to create and execute files in /tmp. If they do not have a clue, they will fall into this pit. In other words, a user cannot be tricked into executing a trojanized binary in /tmp e.g. when /tmp is accidentally added into the local PATH.

Also be forewarned, some script might depend on /tmp being executable. Most notably, Debconf has (had?) some issues regarding this, for more information see Bug 116448.

OKDecisive advantage of option noexec, especially for the home partition: Potential virus host cells (executable files, that may be virus infected hosts) remain absolutely ineffective! Viruses can not infect files on the home partition and temporary partitions, if the option noexec is set (while the root-partition got already resistant against viruses in usermode by normal access-rights below or equal chmod <=755 for owners like root !)

The following is a more thorough example. A note, though: /var could be set noexec, but some software [21] keeps its programs under in /var. The same applies to the nosuid option.

/dev/sda6 /usr ext3 defaults,ro,nodev 0 2
/dev/sda12 /usr/share ext3 defaults,ro,nodev,nosuid 0 2
/dev/sda7 /var ext3 defaults,nodev,usrquota,grpquota 0 2
/dev/sda8 /tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2
/dev/sda9 /var/tmp ext3 defaults,nodev,nosuid,noexec,usrquota,grpquota 0 2
/dev/sda10 /var/log ext3 defaults,nodev,nosuid,noexec 0 2
/dev/sda11 /var/account ext3 defaults,nodev,nosuid,noexec 0 2
/dev/sda13 /home ext3 rw,nosuid,nodev,exec,auto,nouser,async,usrquota,grpquota 0 2
/dev/fd0 /mnt/fd0 ext3 defaults,users,nodev,nosuid,noexec 0 0
/dev/fd0 /mnt/floppy vfat defaults,users,nodev,nosuid,noexec 0 0
/dev/hda /mnt/cdrom iso9660 ro,users,nodev,nosuid,noexec 0 0

OKPostfix - shorten information


smtpd_banner = $myhostname ESMTP $mail_name (FreeBSD/GNU)

... that means without version number and eventually with a new operating system name.

OKdbus (messagebus): Secure up single service-files
dbus of many versions does make mistakes from time to time, by removing single service-files out of /usr/share/dbus-1/services and /usr/share/dbus-1/system-services from time to time without being allowed.
Therefore all service-files should be backuped in any backup-directory.

Exchange "Exec=kded" into "Exec=kded4"
nano /usr/share/dbus-1/services/org.kde.kded.service
[D-BUS Service]

OKJust update by the kernel-binary (kernel-...rpm) or configure, patch and compile the kernel-source (kernel-...rpm.src)
We assume, that any rpm-based Linux-Distribution is already installed on a storage media like harddisc. Our section for updates refers to RedHat, CentOS oder Scientific Linux, Fedora Core, PCLinuxOS, ROSA, Mageia oder Mandriva.
How to configure, patch and compile kernel-sources: Download and install all binary rpm required for the kernel. Then download, install or enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package", rpm on the kernel-source-rpm or file-roller. A new directory named "linux-kernelversion-xxx" or "kernel-source-xxx" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-xxx linux" resp. "ln -sf kernel-source-xxx linux".
Change into this directory linux resp. linux-xxx resp. kernel-source-xxxx and call "menu oldconfig".. A file .config is created to configure the kernel.
Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from.
For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel (pclos, rosa2016.1, el8, el7) and kernel-desktop (mdv2011) but not kernel (el6):

Generally, the security level of software is not only presented by stability, but also by the freeness of errors and warnings during the compilation of their source codes listed by the compiler. Kernel-2.6.32 (el6) consists of many of them and some of them are caused by kmem.h, while the quit restless error-free (only a few small patches 2012-2016 inclusive dirty-cow are known!) kernel- (mdv2011) runs error-free on our system without any warnings during the compilation time of around four hours! This is the best sign for good and secure running code. The only thing remaining is to patch with the dirty-cow-patch in mm.h and memory.c.

Kernel: We recommend kernel 4 (we chose 5.4.110 (pclos) past 4.20.13 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)) and glibc (el8, pclos)), but do describe now (also running on some playstations and so on) patched up to date by sources (containing the dirty-cow-patch in main), consisting of less compilation warning and no errors than 2.6.32 (el6). This mdv-kernel is described from patch-sources like, kernel itself from kernel-desktop (mdv2011): glibc (pclos, mga6), module-init-tools (we recommend mdv2011, but you can also use el6, up to 3.16; append ".conf" to all files in /etc/modules.d; module-init-tools (mdv2011) never makes trouble with it), coreutils (el6), initscripts (mdv2011, pclos and el6 as depecited below), util-linux (mdv2011 or el6 except /bin/mount, /bin/mount and /lib64/libmount* you have to delete after enpacking the rpm (not installing!) and copying its include), kernel-firmware (pclos, slack14.2 with more than 250 MB unpacked, mga6, el6), if you want plus kernel-firmware (OpenSuSE 42.1, 32 MB) plus kernel-firmware (OpenSuSE 13.2) plus linux-firmware (fc27, 35 MB) plus kernel-firmware-extra (pclos, rosa2014.1), kernel-headers (el6), kernel-doc (el6), ksymoops (OpenSuSE 12.2, mdv2011), coreutils (el6), coreutils-libs (el6), binutils (fc25, el6), nss (el7, el6, fc30), nss-softokn (el7, el6, fc30), nss-sysinit (el7, el6, fc30) und nss-softokn-freebl (el7, el6, fc30), nss-util (el7, el6, fc30), nss-tools (el7, el6, fc30) .
glibc (el8: 2.28, pclos: the actual 2.31, mga6: 2.22, fc, for printers with 32-bit driver only like Brother install glibc (2.22, el6) too and relink and delete adequately in /lib),

In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.

All patches for until now are available in the internet from
compiler-gcc5, add-timesys-bootlogo, dirty-cow, lantronix-ts1, no-setlocalversion, no-unused-but-set-variable, revert-nfsroot,, ltrx-image-rom and yaffs2.

Patch: patch (el6, fc27, mdv2010.1) has to be installed. Then type "patch -p1 < ../patchname.patch "

But at first do the following:

Actual Kernel: how to install a patched kernel-source: A lot of freed partition (memory) is required, maybe plenty of Gigabyte. Download and install all binary rpm required for the kernel. Then download and enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package" or file-roller.

Two possibilites:
1) building a kernel-rpm out of the sources after applying the patches: Configure the spec-file of the installed source-rpm by adding or commenting in and out the patches to build a new binary kernel-rpm to install or update: For CentOS and mdv depending on the package manager use command "rpm -ba" instead of "rpmbuild -ba" kernel-xxx.spec to create the binary..
2) Configure the sources and compile them:
A new directory named "linux-kernelversion" or "kernel-source-kernelversion" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-kernelversion linux" resp. "ln -sf kernel-source-kernelversion linux".
Change into this directory linux resp. linux-kernelversion resp. kernel-source-xxxx and call "menu oldconfig". A file .config is created to configure the kernel. Copy .config to include/config/auto.conf

If you do not know, what to enable or not, choose MM
(M) or (CC) to load as a module wherever possible,
(A) or (CC MM) auto-load the module or
(-): resign from the module.

Example (module extraction of kernel-2.6.39-40.src.rpm)

General Preparation of Linux, kernel-2.6.39-40.src.rpm

In order to take a firewall in use, kernel support for iptables and modules should be enabled.
Open a konsole and enter one of the statements
make menuconfig for the Dialog-GUI,
male xconfig for tk-GUI or
make gconfig with GTK or
make config

Choose kernel options within

Networking options --->
[*] Network packet filtering (replaces ipchains)
IP: Netfilter Configuration --->
(M) Userspace queueing via NETLINK (EXPERIMENTAL)
(M) IP tables support (required for filtering/masq/NAT)
(M) limit match support
(M) MAC address match support
(M) netfilter MARK match support
(M) Multiple port match support

(M) TOS match support
(M) Connection state match support
(M) Unclean match support (EXPERIMENTAL)
(M) Owner match support (EXPERIMENTAL)
(M) Packet filtering
(M) REJECT target support
(M) MIRROR target support (EXPERIMENTAL)
(M) Packet mangling
(M) TOS target support
(M) MARK target support
(M) LOG target support
(M) ipchains (2.2-style) support
(M) ipfwadm (2.0-style) support

think of other options (modules), store this configuration.

Before iptables can be used, the kernel module netfilter for the support of iptables has to be loaded e.g. by the statement modprobe:
# modprobe ip_tables

kernel-firmware (binary blobs within /lib/firmware, rpm kernel-firmware (around 250 MB) and/or kernel-firmware-extra ):

For kernels before 4.18:
KERNEL Enable support for Linux firmware

Device Drivers --->
Generic Driver Options --->
-*- Userspace firmware loading support
[*] Include in-kernel firmware blobs in kernel binary
(/lib/firmware) Firmware blobs root directory

For kernels beginning with 4.18:
KERNEL Enable support for Linux firmware

Device Drivers --->
Generic Driver Options --->
Firmware loader --->
-*- Firmware loading facility
() Build named firmware blobs into the kernel binary
(/lib/firmware) Firmware blobs root directory

Type "make dep && make clean && make mrproper" .

Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from, or for a pregiven configuration type "make oldconfig".

For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel-desktop (mdv2011) but not kernel (el6):
within the first item "General Setup"enable "Initial-RAM-filesystem and RAM-disk-support"and in "general drivers" enable the option "Maintain a devtmpfs at /dev/ with subitem "automount devtmpfs at /dev, after the kernel mounted the rootfs".
If you do not know, what to enable or not, choose MM to load as a module wherever possible.
Save the new .config.
Set the Kernel-Version at the top of the makefile.
Three possibilites, after the patching of the source-code like the dirty-cow-patch:
patch -p1 < ../any_patch.patch
apply all other patches in this way
make -i rpm (to create the binary kernel-rpm package, what endures on our system for around four hours)
make all # or
make dep (dependency properties to establish the relationship)
make clean (to remove the old data)
make bzImage (to create its core vmlinuz for /boot only after renaming the created file bzImage: time needed: around 30 minutes) or
make bzImage &,& make modules && make modules_install for the installation of the kernel-modules too.
Copy the bzImage to /boot, rename it to vmlinuz-kernelversion.
Use mkinitrd resp. in the case of FSE (Full Disk Encryption resp. encrypted root-partition) dracut to create the initrd resp. initramfs within directory /boot. If dracut does not work anymore ex. as a cause of updates, rename the new-kernel-version to the old-kernel-version in Makefile and make bzImage once again.
If you use grub as the bootloader and not grub2 and the configufile is still not configured for the new kernel, do this by editing /boot/grub/menu.lst and exchanging the vmlinuz-kernel-versions. If a new initramfs or initrd is created, enter them in the line for initrd.

OKInstallation guide and for tuning Linux secure: and ( in our example related to mdv2010.2 or CentOS 6 el6 with many patches/updates by Jonny Hughes, NY ). Be careful, for example with the exchange of the password-encryption from md5 to sha256 or sha512 and the /etc/system-auth. Make backup or copies!

Through "about:config" many URL can be removed out of the listing after typing in "http".

OKUsing Compile-time-Hardening-Options
Several compile-time options (detailed below) can be used to help harden a resulting binary against memory corruption attacks or provide additional warning messages during compiles. Using "dpkg-buildflags" is the recommended way to incorporate the build flags in Debian.
See ReleaseGoals/SecurityHardeningBuildFlags for additional information,
For a step-by-step guide, see the HardeningWalkthrough,
Fedora/CentOS etc:

OKListing: Linux-Security-Updates up from year 2000,
... of the most important distributions with naming the closed error, bug resp. exploit

OKRecent security pages
Here are the most recent security pages, with a comprehensive roundup of a week´s worth security-related information.

Date Contents
Apr 12, 2017 Network security in the microservice environment; Two Project Zero reports; ..
. Apr 05, 2017 ARM pointer authentication; Quotes; Exploiting Broadcom WiFi; ...
Mar 29, 2017 refcount_t meets the network stack; Quotes; ...
Mar 22, 2017 Inline encryption support for block devices; Shim review; ..
. Mar 15, 2017 A kernel TEE party; Quotes; Struts 2 vulnerability; ...
Mar 08, 2017 A new process for CVE assignment; Smart TV bugging quotes; Threat modeling ...
Mar 01, 2017 The case of the prematurely freed SKB; SHA-1 collision and fallout; ...
Feb 22, 2017 The case against password hashers; New vulnerabilities in dropbear, kernel, nagios-core, qemu, ...
Feb 15, 2017 A look at password managers; New vulnerabilities in kernel, libevent, mysql, php, ...
Feb 08, 2017 Reliably generating good passwords; New vulnerabilities in epiphany, graphicsmagick, gstreamer (and plugins), spice, ...
Feb 01, 2017 The Internet of scary things; New vulnerabilities in ansible, chromium, kernel, mozilla, ...
Jan 25, 2017 Security training for everyone; New vulnerabilities in fedmsg, firejail, java, systemd, ...
Jan 18, 2017 Ansible and CVE-2016-9587; New vulnerabilities in bind, docker, qemu, webkit2gtk, ...
Jan 11, 2017 SipHash in the kernel; New vulnerabilities in kernel, kopete, syncthing, webkit2gtk, ...
Jan 04, 2017 Fuzzing open source; New vulnerabilities in bash, httpd, kernel, openssh, ...
Dec 22, 2016 OWASP ModSecurity Core Rule Set 3.0; New vulnerabilities in apport, kernel, libupnp, samba, ...
Dec 14, 2016 ModSecurity for web-application firewalls; New vulnerabilities in jasper, kernel, mozilla, roundcube, ...
Dec 07, 2016 Locking down module parameters; New vulnerabilities in chromium, firefox, kernel, xen, ...
Nov 30, 2016 Django debates user tracking; New vulnerabilities in drupal, firefox, kernel, ntp, ...
Nov 16, 2016 Reference-count protection in the kernel; New vulnerabilities in chromium, firefox, kernel, sudo, ...

OKSetting /usr read-only for the separate usr-partition
If you set /usr read-only (in /etc/fstab), you will not be able to install new packages on your Debian GNU/Linux system. You will have to first remount it read-write, install the packages and then remount it read-only. apt can be configured to run commands before and after installing packages, so you might want to configure it properly.
To do this modify /etc/apt/apt.conf and add:

Pre-Invoke { "mount /usr -o remount,rw" };
Post-Invoke { "mount /usr -o remount,ro" };

Note that the Post-Invoke may fail with a "/usr busy" error message. This happens mainly when you are using files during the update that got updated. You can find these programs by running

# lsof +L1

Stop or restart these programs and run the Post-Invoke manually. Beware! This means you´ll likely need to restart your X session (if you´re running one) every time you do a major upgrade of your system. You might want to reconsider whether a read-only /usr is suitable for your system ( and please notice, that this might not be recommended, if there is an encrypted root-partition), see also this discussion on debian-devel about read-only /usr.
We are going to encrypt even more the complete system (FSE) by reliable LUKS, including the complete root- and home-partition (and USB-media) to set partitions unwriteable to read-only. Notice, that this does not exclude the same for a separate usr-partition.

OK/etc/pam.d/system-auth ( tested just on our platform and system ):

auth required
auth sufficient try_first_pass likeauth
auth required
auth requisite uid >= 500 quiet
auth required deny=3 onerr=fail unlock_time=60
account sufficient shadow
account required
account sufficient uid < 500 quiet
account required per_user
password required try_first_pass retry=3 minlen=6 dcredit=1 ucredit=0
password sufficient try_first_pass use_authtok sha512 shadow remember=2
password required
session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required

More about pam-modules:

OKOne more things with PAM:
Use encryption other than DES for your passwords (making them harder to brute-force decode).
Set resource limits on all your users so they can´t perform denial-of-service attacks (number of processes, amount of memory, etc).
Enable shadow passwords (see below) on the fly.
Allow specific users to login only at specific times from specific places.
Within a few hours of installing and configuring your system, you can prevent many attacks before they even occur. For example, use PAM to disable the system-wide usage of .rhosts files in user´s home directories by adding these lines to /etc/pam.d/rlogin:

# Disable rsh / rlogin / rexec for users
login auth required no_rhosts


OKAccount locking
While having strong passwords in place for user accounts can help thwart brute force attacks as mentioned previously in point 18 - Enforce strong passwords, this is only one way of slowing down this type of attack. A good indication of brute force attack is a user account that has failed to log in successfully multiple times within a short period of time, these sorts of actions should be blocked and reported. We can block these attacks by automatically locking out the account, either at the directory if in use or locally.

The PAM module can be used to lock out local accounts after a set number of failures. To get this working I have added the below line to the /etc/pam.d/password-auth file.

auth required file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200

This will log all failures to the /var/log/tallylog file and lock out an account after 3 consecutive failures. By default it will not deny the root account however we can also lock out root by specifying even_deny_root (though this may not be required if you have disabled root access as per point 3 - Disable remote root access and point 4 - Disable root console access). The unlock time is the amount of seconds after a failed login attempt that an account will automatically unlock and become available again.

Failed logins can be viewed as below, to view all failures simply remove the --user flag.

[[email protected] ~]# pam_tally2 --user=bob Login Failures Latest failure From bob 4 08/21/15 19:38:23 localhost

The failure count can be manually reset by appending -reset onto this command.

pam_tally2 --user=bob --reset

If a login is successful before the limit has been reached the failure count will reset to 0. For more details see the pam_tally2 manual page by typing ´man pam_tally2´.

It´s worth noting that the manual page advises to configure this with the /etc/pam.d/login file, however I found that under CentOS 7 this did not work and needed to use the /etc/pam.d/password-auth file instead. I also tried using /etc/pam.d/system-auth which I found documented elsewhere but this also failed, so this may differ based on your operating system.

You can also manually lock and unlock local user accounts rather than waiting for the failure limit to be reached.
Lock the user account ‘bob´.
Quelle: Migrating from shadow passwords to tcb in Linux
For a more secure Linux password system, a migration from shadow passwords to tcb is worth a little extra work. Vincent Danen tells you what you need to recompile and patch.Wechsel von shadow-Passwörtern nach tcb in Linux.
"Shadow passwords have been a de facto standard with Linux distributions for years, and as well as the use of md5 passwords. However, there are drawbacks to using the traditional shadow password method, and even md5 is not as secure as it used to be. One drawback to the shadow password file is that any application that requires looking up a single shadow password (i.e., your password) also can look at everyone else´s shadow passwords, which means that any compromised tool that can read the shadow file will be able to obtain everyone´s shadow password."

Install pam_tcb (like pam_tcb(pclos) and other pam-module-rpm). If the encryption should be blowfish, install the package bcrypt.

Source and howto:
alternatively: Migrating to tcb,

After performing the howto (but still resigning from blowfish and the deletion of the shadow-files), our modified /etc/pam.d/system-auth has got the include:

auth optional try_first_pass
auth required
auth sufficient
auth required
auth requisite uid >= 500 quiet
auth required deny=3 onerr=fail unlock_time=1200
account sufficient
account required
account sufficient uid < 500 quiet
account required per_user
password required try_first_pass retry=3 minlen=6 dcredit=1 ucredit=1
password sufficient use_authtok tcb write_to=tcb
password required
session optional
session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required

and /etc/pam.d/password-auth:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.

auth required
auth required file=/var/log/tallylog deny=3 even_deny_root unlock_time=1200
auth sufficient shadow fork prefix=$2a$ count=8
auth required
account required
password requisite try_first_pass retry=3 type=
password sufficient try_first_pass use_authtok sha512 shadow
password required
session optional revoke
session required
session [success=1 default=ignore] service in crond quiet use_uid
session required

# /etc/nsswitch.conf
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
# The entry ´[NOTFOUND=return]´ means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
# Legal entries are:
# compat Use compatibility setup
# nisplus or nis+ Use NIS+ (NIS version 3)
# nis or yp Use NIS (NIS version 2), also called YP
# dns Use DNS (Domain Name Service)
# files Use the local files
# db Use the local database (.db) files
# [NOTFOUND=return] Stop searching if not found so far
# For more information, please read the nsswitch.conf.5 manual page.

passwd: files -root -ALL
shadow: files -root -ALL
group: files
hosts: files [success=return] dns [success=return]
networks: files
services: files
protocols: files
rpc: -root -ALL
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
ipnodes: files
sendmailvars: files
automount: files
aliases: files

Installation of software can lead to other settings, so check out this file from time to time !
More details about /etc/nsswitch.conf:
You should try the originally meant "shadow: tcb nisplus nis" instead and set hosts to "hosts: files ... dns ..." into this recommended order.
and with for all in /etc/pam.d/*
This all makes the computer once more mouseclick-fast and secure.

OKDisable Root Console Access
The previous step disables remote access for the root account, however it will still be possible for root to log in through any console device. Depending on the security of your console access you may wish to leave root access in place, otherwise it can be removed by clearing the /etc/securetty file as shown below.

echo > /etc/securetty

This file lists all devices that root is allowed to login to, the file must exist otherwise root will be allowed access through any communication device available whether that be console or other.

With no devices listed in this file root access has been disabled. It is important to note that this does not prevent root from logging in remotely with SSH for instance, that must be disabled as outlined in point 3 - Disable remote root access above.

Access to the console itself should also be secured, a physical console can be protected by the information covered in point 13 - Physical security.

OKLimited amount of processes, source. Arch Linux
On systems with many or untrusted users, it is important to limit the number of processes each can run at once, therefore preventing fork bombs and other denial of service attacks. /etc/security/limits.conf determines how many processes each user, or group can have open, and is empty (except for useful comments) by default. adding the following lines to this file will limit all users to 100 active processes, unless they use the prlimit command to explicitly raise their maximum to 200 for that session. These values can be changed according to the appropriate number of processes a user should have running, or the hardware of the box you are administrating. Do not set the limit too low. System can malfunction.

* soft nproc 300
* hard nporc 320
# user soft nproc 200
# user hard nproc 250
# surfuser soft nproc 60
# surfuser hard nporc 80
toruser soft nproc 80
toruser hard nporc 100

OKlibrepository (el6), libsafec-check (fc30, fc29): Finds unsafe APIs This once more makes computer mouseclick-fast!

OKVirus scanner ClamAV, Admin 03/20 (clamav (el6))
In order to protect Windows-Clients against the malicious internet, there are some solutions. This article introduces the best Linux-programs for it.
The secure storage of large and larger data masses is a challenge for each IT-infrastructure.
ADMIN-Magazin reported, how administrators can configure the Squid-proxy, so that he scans for viruses with ClamAV and Dansguardian. The same functions for Samba-Fileserver. You should not forget, that the scan of webtraffic and incoming E-Mail only does not care for complete security. Therefore it is still essential to run local virus scanner upon Windows-Clients.
It is not the big problem to install ClamAV, because most Linux-distributions do provide already made packages in their repositories.
Reader opinion by Gooken: For a well-configured Linux, a virus scanner is only needed for Samba and especially E-Mail-clients resp. a virus scanner, even ClamAV, of course, isn´t really needed at all!

OKBastille, msec, rkhunter, chkrootkit, clamav (clamscan, klamav), maldetect, checksec, seccheck, xsysinfo, smartd, nessus, tkcvs and cervisia, ...
At this place think of programs like bastille and msec (rosa2016.1, rosa2014.1) to check out lacks in system security, before going on with the manual configuration hook by hook. Such programs with own graphical frontends resp. wizards protocol lacks in security and are able to automatically reconfigure the system even more secure.

Two factor authentication can be implemented for SSH access or other application login, it will improve login security by adding a second factor of authentication, that is the password is typically known as something you know, while the second factor may be a physical security token or mobile device which acts as something you have. The combination of something you know and something you have ensures that you are more likely who you say you are.

There are custom applications available for this such as Duo Securityand Google Authenticator as well as many others. These typically involve installing an application on a smart phone and then entering the generated code alongside your username and password when you authenticate.
Google Authenticator can be used for many other applications than just SSH, such as for WordPress login with third party plugin support.

... can´t believe it, remark by Gooken:

As executed programs (processes), think of text processing and terminal, do already exist in the RAM...

All INTEL-CPU-generations since Celeron
"We can read out everything!",, 04.01.2017
As a consequence of a newspaper-report scientific researches from the Technical University Graz exposed the newest security-exploit in many computer processors. "We were shocked ourself, that this functions", said Michael Schwarz from TU Graz to "Tagesspiegel".
By this exploit all data could be read out, that are in actual process by the computer. "In Principle we could read out all actually entered by the keyboard." Attackers could also get data from Onlinebanking or stored passwords. "Therefore they must intrude into the computer", Schwarz restricted.

Serious hard lack in security in all Intel-CPUs, PC-WELT, 03.01.2018
A serious hard lack was found in Intel-processors of the last 10 years (excpet the one introduced by us in our data-sheed, rem., Gooken). Its closure costs performance.,3449263
OKWhat to do:
Data sheed: Plattform: ITX-220: is not listed in the table for exploited mainboards by Intel (1) and an exploit remaind undetected as the helping-tool for belonging system-analyzes from Intel indicated ( for Linux) (2). Result: Modul MEI (2) can not be found (this module can be integrated by the command "modprobe mei" manually or within /etc/modules each boot or dracut right up from the system-start).

Is there a workaround/fix?

- There are patches against Meltdown for Linux ( KPTI (formerly KAISER)), Windows, and OS X. There is also work to harden software against future exploitation of Spectre, respectively to patch software after exploitation through Spectre,
- iucode-tool (pclos2018)
OK- CPU: mouseclick-fast and secure: microcode_ctl ( do not get irritated by any other versions, install fast working (microcode_ctl-1.17-33.23.el6_10.x86_64.rpm, fc29: 2.1-34, rosa2016.1) upon el6 ) or ucode-intel ( OpenSuSE, >= 20190618-lp151.2.3.1.x86_64.rpm ), against ZombieLoad too (in order to get activated by console), we recommend the mouseclick-fast microcode_ctl (rosa2016.1), upon microcode_ctl (el6, rpm -i --force). Take the fastest actual microcode_ctl like microcode_ctl-1.17-33.23.el6_10.x86_64.rpm, fc29, rosa2016.1. In order to use microcode_ctl, flash the CPU by executing the command "microcode_ctl -Qu" each boot after entering it in /etc/rc.local or out of /usr/share/autostart. If it is not booted, the CPU will work upon its initial (default) microcode again.

Howto start microcode_ctl, for example add into /etc/rc.local:

echo 1 > /sys/devices/system/cpu/microcode/reload
# microcode_ctl -Qu
sh /usr/libexec/microcode_ctl/reload_microcode
start microcode_ctl automatically each boot by belonging udev-rule (number 83).

Changelog microcode_ctl
* Fr Dez 15 2017 Petr Oros - 1:1.17-25.2
- Update Intel CPU microde for 06-3f-02, 06-4f-01 and 06-55-04
- Add amd microcode_amd_fam17h.bin data file
- Resolves: #1527357
- Intel: Tools for ME-security-exploits, 24.11.2017,
- kernel-5.4.249 (pclos2023) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and the reintegrated KPTI-/KAISER-patch
- "modprobe mei" or start or stop the load of module mei in /etc/modules by entering resp. removing the line "mei" MEI in this matter was mentionded in Intel-security-checks as one part of the main risk.

After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".

- Update Firefox to 57.0.4 resp. 52.5.3-ESR (OpenSuSE) - Security fixes to address the Meltdown and Spectre timing attacks - - Require new nss 3.34 (fixed rhbz#1531031) - Disabled ARM on all Fedoras due to rhbz#1523912
- Nvidia vs. Spectre: New Nvidia-drivers protect against Spectre-CPU-attacks,,3449339 NVIDIA graphics drivers (USN-3521-1,
- Webkitgtk+ (USN-3530-1)
- QEMU (USN-3560-1)
- libvirt (USN-3561-1)
- Cloud Images: Cloud images which address CVE-2017-5753 and CVE-2017-5715 (aka Spectre) and CVE-2017-5754 (aka Meltdown) are available for from for the following releases: ...

OKBeneath microcode_ctl (rosa2016.1, el6) look out for actual kernel-firmware (el6) and kernel-headers (el6) too. Take those from year2020, making it all mouseclick-fast !

niue-muenzenFirewall Linfw3 against Meltdown and Spectre: Set group "nobody" for the group of surfuser (with primary group nobody) and only allow surfuser with one more group of surfuser named surfgroup for example (instead of nobody) to go online. Linfw3 is able to block even root (UID: root, 0, GID: root, 0). So noone is allowed to go online through Linfw3 else surfuser with group surfgroup (instead of his primary group "nobody"), what prevents device drivers from exchaning data - as in this case caused by Meltdown and Spectre To go paranoid, to make it even more confusing for kernel and CPU, set all directories and files owned by surfuser to it´s primary group "nobody".

Test, if the system is secure now, protected well against Meltdown and Spectre, type into terminal the command:

head /sys/devices/system/cpu/vulnerabilities/*

You can update the kernel, if not.

OKIntegrate sensors and chips from mainboard:
Paket lm_sensors (pclos)
modprobe for found modules: enter them into /etc/modules ( for ITX-220: it87, coretemp, i2c-dev, mei)
Notice: It might be mouseclick-fast and more seucre not to enter them into /etc/modules.
LAN-Chip: eventually activate it through CMOS-BIOS-Setup (default: inactive)

OKLogging off idle users
Idle users are usually a security problem, a user might be idle maybe because he´s out to lunch or because a remote connection hung and was not re-established. For whatever the reason, idle users might lead to a compromise:

because the user´s console might be unlocked and can be accessed by an intruder.

because an attacker might be able to re-attach to a closed network connection and send commands to the remote shell (this is fairly easy if the remote shell is not encrypted as in the case of telnet).

Some remote systems have even been compromised through an idle (and detached) screen.

Automatic disconnection of idle users is usually a part of the local security policy that must be enforced. There are several ways to do this:

If bash is the user shell, a system administrator can set a default TMOUT value (see bash(1)) which will make the shell automatically log off remote idle users. Note that it must be set with the -o option or users will be able to change (or unset) it.

Install timeoutd and configure /etc/timeouts according to your local security policy. The daemon will watch for idle users and time out their shells accordingly.

Install autolog and configure it to remove idle users.

The timeoutd or autolog daemons are the preferred method since, after all, users can change their default shell or can, after running their default shell, switch to another (uncontrolled) shell.

Linux: TMOUT To Automatically Log Users Out
last updated May 18, 2011 in Categories BASH Shell, Linux

How do I auto Logout my shell user in Linux after certain minutes of inactivity?
Linux bash shell allows you to define the TMOUT environment variable. Set TMOUT to automatically log users out after a period of inactivity. The value is defined in seconds. For example,

export TMOUT=120

The above command will implement a 2 minute idle time-out for the default /bin/bash shell. You can edit your ~/.bash_profile or /etc/profile file as follows to define a 5 minute idle time out:

# set a 5 min timeout policy for bash shell
readonly TMOUT
export TMOUT

Save and close the file. The readonly command is used to make variables and functions readonly i.e. you user cannot change the value of variable called TMOUT.
How Do I Disable TMOUT?

To disable auto-logout, just set the TMOUT to zero or unset it as follows:
$ export TMOUT=0


$ unset TMOUT

Please note that readonly variable can only be disabled by root in /etc/profile or ~/.bash_profile

Or assign a value for SHELL_TIMEOUT (TMOUT) in /etc/security/msec/

OKRestricting access to kernel pointers in the proc filesystem, source: Arch Linux
Note: linux-hardened sets kptr_restrict=2 by default rather than 0.
Enabling kernel.kptr_restrict will hide kernel symbol addresses in /proc/kallsyms from regular users without CAP_SYSLOG, making it more difficult for kernel exploits to resolve addresses/symbols dynamically. This will not help that much on a pre-compiled Arch Linux kernel, since a determined attacker could just download the kernel package and get the symbols manually from there, but if you´re compiling your own kernel, this can help mitigating local root exploits. This will break some perf commands when used by non-root users (but many perf features require root access anyway). See FS#34323 for more information.
kernel.kptr_restrict = 1

OKNext point fstab-Option hidepid for proc from source Arch Linux should be applied once more at your own risk:
"Warning: This may cause issues for certain applications like an application running in a sandbox and Xorg.
. The kernel has the ability to hide other user-processes, normally accessible via /proc, from unprivileged users by mounting the proc filesystem with the hidepid= and gid= options documented here.
This greatly complicates an intruder´s task of gathering information about running processes, whether some daemon runs with elevated privileges, whether other user runs some sensitive program, whether other users run any program at all, makes it impossible to learn whether any user runs a specific program (given the program doesn´t reveal itself by its behaviour), and, as an additional bonus, poorly written programs passing sensitive information via program arguments are now protected against local eavesdroppers.
The proc group, provided by the filesystem package, acts as a whitelist of users authorized to learn other users´ process information. If users or services need access to /proc/<pid> directories beyond their own, add them to the group.
For example, to hide process information from other users except those in the proc group:
proc /proc proc nosuid,nodev,noexec,hidepid=2,gid=proc 0 0 "

In the following and therefore just for our paranoid view, only some more security-points, now from, up to, might interest like:

OKChoose a BIOS password
Before you install any operating system on your computer, set up a BIOS password. After installation (once you have enabled bootup from the hard disk) you should go back to the BIOS and change the boot sequence to disable booting from floppy, CD-ROM and other devices that shouldn´t boot. Otherwise a cracker only needs physical access and a boot disk to access your entire system.
Disabling booting unless a password is supplied is even better. This can be very effective if you run a server, because it is not rebooted very often. The downside to this tactic is that rebooting requires human intervention which can cause problems if the machine is not easily accessible.
Note: many BIOSes have well known default master passwords, and applications also exist to retrieve the passwords from the BIOS. Corollary: don´t depend on this measure to secure console access to system.

- Supervisor Password
- User Access Level from Full Access, View Only or Limited to No Access - this prevents user acsess onto the BIOS-Setup-Utility, so that no changes of the settings are possible anymore. Now the BIOS is protected.
- User Password
- Password Check from (only for BIOS-)Setup to Always

OKTurn Off IPv6
If you´re not using a IPv6 protocol, then you should disable it because most of the applications or policies not required IPv6 protocol and currently it doesn´t required on the server. Go to network configuration file and add followings lines to disable it.

nano /etc/sysconfig/network
USERCTL=no # prvents normal user from dialing in

Boot-process: If the message "Can not stat ( a named ) initscript" occurs during system boot, delete this initscript through all six runlevel and in directory init.d by
rm -df /etc/rc0.d/initscript-name
rm -df /etc/rc1.d/initscript-name
rm -df /etc/rc6.d/initscript-name
rm -df /etc/init.d/initscript-name

OKActivate resp. deactivate kernel-moduls
Get a listing of the kernel-modules by the terminal command lsmod.
In order to make the computer mouseclick-fast, all kernel modules without essential use have to be removed from /etc/rc.modules, while this file enpossibles to integrate modules by the command &quto;modprobe Modulname" added to the last line.
. Following our example-hardware from datasheed, the control-modules it87 und i2c-dev can be disabled and the service envoking them named lm_sensors deactivated.

# xorg.conf with automized hardware-detection
# WARNING: Choose view settings only, if the x-server does not start!
# Then consult /var/log/Xog.0.log and look out for errors- (EE)- and warnings (WW)!
# Einzelheiten: "man xorg.conf"
# File generated by XFdrake (rev )

# **********************************************************************
# Refer to the xorg.conf man page for details about the format of
# this file.
# ******
# ****************************************************************
Section "ServerLayout"
Identifier "XFree86 Configured"
Screen 0 "Screen0" 0 0
# InputDevice "Keyboard0" "CoreKeyboard" # commented in: hotplug
# InputDevice "Mymouse1" "CorePointer"# commented in: hotplug
Option "AIGLX" "true"

Section "ServerFlags"
Option "DontVTSwitch" "true"
Option "DontZap" "true" # disable <Ctrl><Alt><BS> (server abort)
Option "AllowMouseOpenFail" "true" # allows the server to start up even if the mouse does not work
DontZoom # disable <Ctrl><Alt><KP_+>/<KP_-> (resolution switching)
Option "DPMS" "true"
Option "Xinerama" "true"
# Option "DRI2" "true"
Option "UseDefaultFontPath" "true"
# Option "Pixmap" "32"
Option "IgnoreABI" "true"
Option "AutoAddDevices" "true"
Option "AutoEnableDevices" "true"

Section "Files"
ModulePath "/usr/lib64/xorg/modules/extensions,/usr/lib64/xorg/modules"
FontPath "/usr/share/fonts/X11/misc:unscaled"
# FontPath "/usr/share/fonts/X11/cyrillic"
FontPath "/usr/share/fonts/X11/100dpi/:unscaled"
FontPath "/usr/share/fonts/X11/75dpi/:unscaled"
FontPath "/usr/share/fonts/X11/Type1"
FontPath "/usr/share/fonts/X11/100dpi"
FontPath "/usr/share/fonts/X11/75dpi"
FontPath "/usr/share/fonts/truetype"
FontPath "built-ins"

Section "Module"
Load "dbe" # Double-Buffering Extension
Load "v4l" # Video for Linux
Load "type1"
Load "freetype"
Load "glx" # 3D layer
Load "dri" # direct rendering
# Load "record"
Load "extmod"
# Load "speedo" # Speedo fonts, this module doesn´t exist in Xorg 7.0.17
# The following are deprecated/unstable/unneeded in Xorg 7.0
# Load "ddc" # ddc probing of monitor, this should be never present, as it gets automatically loaded.
# Load "GLcore" # This should be never present, as it gets automatically loaded.
# Load "bitmap" # Should be never present, as it gets automatically loaded. This is a font module, and loading it in xorg.conf makes X try to load it twice.
SubSection "extmod"
Option "omit xfree86-dga"

Section "Extensions"
# compiz needs Composite, but it can cause bad (end even softreset-resistant)
# effects in some graphics cards, especially nv.
Option "Composite" "Enable"

Section "Monitor"
Identifier "Monitor0"
ModelName "Generic Monitor"
# HorizSync 47.7
# VertRefresh 59.8
Option "PreferredMode" "1366×768"
# DisplaySize 361 203
# Vesa values! You can comment in all following Modeline for Monitor AOC e943FwS preferred modeline (59.8 Hz vsync, 47.7 kHz hsync, ratio 16/9, 84 dpi)
# ModeLine "1366×768" 85.5 1366 1436 1579 1792 768 771 774 798 +hsync +vsync
# ModeLine "1368x768_120" 185.67 1368 1472 1624 1880 768 769 772 823 -hSync +vsync
# ModeLine "1368x768_100" 151.73 1368 1464 1616 1864 768 769 772 814 -hSync +vsync
# ModeLine "1368x768_85" 125.67 1368 1456 1600 1832 768 769 772 807 -hSync +vsync
# ModeLine "1368x768_75" 110.19 1368 1456 1600 1832 768 769 772 802 -hSync +vsync
# ModeLine "1368x768_60" 85.86 1368 1440 1584 1800 768 769 772 795 -hSync +vsync
ModeLine "1368x768" 85.86 1368 1440 1584 1800 768 769 772 795 -hSync +vsync
# ModeLine "1368x768_50" 69.92 1368 1424 1568 1768 768 769 772 791 -hSync +vsync
# Option "MonitorLayout" "LVDS,AUTO"

Section "Device"
Identifier "Card0"
# Driver (chipset) autodetect
VendorName "All"
BoardName "All"
# BusID "PCI:1:0:0"
# VendorName "Intel Corporation"
# BoardName "Intel 810 and later"
# Driver "intel" # one of fbdev (framebuffer device), vesa (Standard), vga, vga16, uncommon, void, dummy, ati, catalyst, nv, nvidia, nouveau, amdgpu, rendition, radeon, radeonhd, fglrx, tdfx, trident, virge, s3virge, siliconmotion, aiptek, apm, ast, fpit, glint, mutouch, qxl, r128, synaptics, v4l, wacom, xgi, ark, virtualbox, vmware, vmmouse, matrox, cirrus, aty, i810, i128, i740, ark, kyropfb, matrox, i2c-matrox, hga, riva, sst, neo, s3, openchrome (incl. unichrome), savage, sis, tseng, ...
Screen 0
# BusID "PCI:0:2:0"
Option "DPMS"
Option "AccelMethod" "EXA"
Option "AddARGBGLXVisuals" "true"
Option "fbdev" "true"
Option "DRI" "true"
### Available Driver options
# sw_cursor is needed for some ati and radeon cards
# Option "sw_cursor"
# Option "hw_cursor"
# Option "NoAccel"
# Option "ShowCache"
# Option "ShadowFB"
# Option "UseFBDev"
# Option "Rotate"
# Option "VideoKey"
# Option "Linear Framebuffer <bool>
# Option "SwapbuffersWait" <bool>
# Option "XvPreferOverlay" <bool>
# Option "Backlight" <str>
# Option "ColorKey" <i>
# Option "HotPlug" "true"
Option "XvMC" "true"
# Option "RelaxedFencing" <bool>
# Option "RelaxedFencing" # [<bool>]
# Option "Throttle" # [<bool>]
# Option "ZaphodHeads" # <str>
# Option "DelayedFlush" # [<bool>]
# Option "TearFree" # [<bool>]
# Option "PerCrtcPixmaps" # [<bool>]
# Option "FallbackDebug" # [<bool>]
# Option "DebugFlushBatches" # [<bool>]
# Option "DebugFlushCaches" # [<bool>]
# Option "DebugWait" # [<bool>]
# Option "BufferCache" # [<bool>]
# Option "TripleBuffer" # [<bool>]
# Option "DisableGLXRootClipping" "true"
Option "EnablePageFlip" "true"
# Option "ColorTiling2D" "true"
Option "TripleBuffer" "true"
# Option "MigrationHeuristic" "greedy"
# Option "ColorTiling" "true"
Option "TearFree" "true"
Option "ZaphodHeads" "VGA1"
# Tweaks for the xorg 7.4 (otherwise broken) "intel" driver
Option "Tiling" "no"
# Option "Legacy3D" "false"
# compiz, beryl 3D-Support with DRI &Composite
Option "XAANoOffscreenPixmaps"
Option "AllowGLXWithComposite" "true"
# These two lines are (presumably) needed to prevent fonts from being scrambled
Option "XaaNoScanlineImageWriteRect" "true"
Option "XaaNoScanlineCPUToScreenColorExpandFill" "true"

Section "Screen"
Identifier "Screen0"
Device "Card0"
Monitor "Monitor0"
DefaultColorDepth 24
Option "AddARGBGLXVisuals" "true"
Option "DisableGLXRootClipping" "true"

SubSection "Display"
Depth 24
Modes "1366×768"
SubSection "Display"
Depth 32
Modes "1366×768"
SubSection "Display"
Depth 16
Modes "1366×768"
SubSection "Display"
Depth 15
Modes "1366×768"

Section "DRI"
Mode 0666

Section "InputDevice"
Identifier "Mymouse1"
Driver "mouse"

# Option "Device" "/dev/ttyS0"
Option "Protocol" "ImPS/2"
# Option "Device" "/dev/psaux"
# Option "Device" "/dev/ttyS0"
Option "Device" "/dev/input/mice"
Option "Emulate3Buttons" "true"
Option "CorePointer"
# Option "Protocol" "Auto"
# Option "Protocol" "ExplorerPS/2"
# Option "Protocol" "auto"
Option "ZAxisMapping" "4 5"
# Option "ZAxisMapping" "4 5 6 7"

Section "InputDevice"
# generated from default
Identifier "Keyboard0"
Driver "kbd"
Option "XkbModel" "pc105"
Option "XkbLayout" "de"
Option "CoreKeyboard"
Option "XkbRules" "xorg"
Option "AccelerationProfile" "0"

OKDo not plug to the Internet until ready
The system should not be immediately connected to the Internet during installation. This could sound stupid but network installation is a common method. Since the system will install and activate services immediately, if the system is connected to the Internet and the services are not properly configured you are opening it to attack.

OKRun the minimum number of services required
Services are programs such as ftp servers and web servers. Since they have to be listening for incoming connections that request the service, external computers can connect to yours. Services are sometimes vulnerable (i.e. can be compromised under a given attack) and hence present a security risk. Unwanted servces might be: telnet, ftp, smbd and nmbd (Samba), portmap (NFS), automount (NFS, network file system), rexec, named (DNS), lpd (printer), inetd, ...

OKSet a LILO or GRUB password
What matters for updates, should almost be not the version of the rpm but the new release of one and the same version (backport-concept).

OKumask (see man umask): recommended values:
/etc/fstab: option umask 077 at least for the root- and home-Partition
~/.bashrc: umask 077 # for all user
~/.bashrc-profile: umask 077 # for all user
/etc/profile: umask 022 # to keep most of all accessible for a user

OKDisable root prompt on the initramfs
Note: This applies to the default kernels provided for releases after Debian 3.1
Linux 2.6 kernels provide a way to access a root shell while booting which will be presented during loading the initramfs on error. This is helpful to permit the administrator to enter a rescue shell with root permissions. This shell can be used to manually load modules when autodetection fails. This behavior is the default for initramfs-tools generated initramfs. The following message will appear:

"ALERT! /dev/sda1 does not exist. Dropping to a shell!"

In order to remove this behavior you need to set the following boot argument:panic=0. Add this to the variable GRUB_CMDLINE_LINUX in /etc/default/grub and issue update-grub or to the append section of /etc/lilo.conf.

OKRemove root prompt on the kernel
Note: This does not apply to the kernels provided for Debian 3.1 as the timeout for the kernel delay has been changed to 0.
Linux 2.4 kernels provide a way to access a root shell while booting which will be presented just after loading the cramfs file system. A message will appear to permit the administrator to enter an executable shell with root permissions, this shell can be used to manually load modules wheX11-Servern autodetection fails. This behavior is the default for initrd´s linuxrc. The following message will appear:

Press ENTER to obtain a shell (waits 5 seconds)

In order to remove this behavior you need to change /etc/mkinitrd/mkinitrd.conf and set:

# DELAY The number of seconds the linuxrc script should wait to # allow the user to interrupt it before the system is brought up DELAY=0

Then regenerate your ramdisk image. You can do this for example with:

# cd /boot # mkinitrd -o initrd.img-2.4.18-k7 /lib/modules/2.4.18-k7

or (preferred):

# dpkg-reconfigure -plow kernel-image-2.4.x-yz

OKRestricting console login access
Some security policies might force administrators to log in to the system through the console with their user/password and then become superuser (with su or sudo). This policy is implemented in Debian by editing the /etc/pam.d/login and the /etc/securetty when using PAM (make a backup, before doing this!):

/etc/pam.d/login enables the module. This module, when properly configured will not ask for a password when the root user tries to login on an insecure console, rejecting access as this user.
securetty by adding/removing the terminals to which root access will be allowed. If you wish to allow only local console access then you need console, ttyX and vc/X (if using devfs devices), you might want to add also ttySX, if you are using a serial console for local access (where X is an integer, you might want to have multiple instances. The default configuration for Wheezy includes many tty devices, serial ports, vc consoles as well as the X server and the console device. You can safely adjust this if you are not using that many consoles. You can confirm the virtual consoles and the tty devices you have by reviewing /etc/inittab . For more information on terminal devices read the Text-Terminal-HOWTO.

When using PAM, other changes to the login process, which might include restrictions to users and groups at given times, can be configured in /etc/pam.d/login. An interesting feature, that can be disabled, is the possibility to login with null (blank) passwords. This feature can be limited by removing nullok from the line:

auth required nullok

Our /etc/pam.d/login:

auth required
auth required deny=3 even_deny_root unlock_time=2400
auth include system-auth
account required
account include system-auth
password include system-auth
# close should be the first session rule
session required close
session required
session optional
# open should only be followed by sessions to be executed in the user context
session required open
session required
session optional force revoke
session include system-auth
-session optional

is the file, where to add or delete terminals for the login of root. If a local access by console should be allowed only, then add console, ttyX and vc/X ( if devfs-interface is used, where X is an integer ).

The primary entry types and their affects are as follows:
If /etc/securetty doesn´t exist, root is allowed to login from any tty
If /etc/securetty exist and is empty, root access will be restricted to single user mode or programs, that are not restricted by pam_securetty (i.e. su, sudo, ssh, scp, sftp)
if you are using devfs (a deprecated filesystem for handling /dev), adding entries of the form vc/[0-9]* will permit root login from the given virtual console number
if you are using udev (for dynamic device management and replacement for devfs), adding entries of the form tty[0-9]* will permit root login from the given virtual console number
listing console in securetty, normally has no effect since /dev/console points to the current console and is normally only used as the tty filename in single user mode, which is unaffected by /etc/securetty
adding entries like pts/[0-9]* will allow programs that use pseudo-terminals (pty) and pam_securetty to login into root assuming the allocated pty is one of the ones listed; it´s normally a good idea not to include these entries because it´s a security risk; it would allow, for instance, someone to login into root via telenet, which sends passwords in plaintext (note that pts/[0-9]* is the format for udev which is used in RHEL 5.5; it will be different if using devfs or some other form of device management)
For single user mode, /etc/securetty is not consulted because the sulogin is used instead of login. See the sulogin man page for more info. Also you can change the login program used in /etc/inittab for each runlevel.

OKRestricting system reboots through the console
If your system has a keyboard attached to it anyone (yes anyone) with physical access to the system can reboot the system through it without login in just pressing the Ctrl+Alt+Delete keyboard combination, also known as the three finger salute. This might, or might not, adhere to your security policy.
This is aggravated in environments in which the operating system is running virtualised. In these environments, the possibility extends to users that have access to the virtual console (which might be accessed over the network). Also note that, in these environments, this keyboard combination is used constantly (to open a login shell in some GUI operating systems) and an administrator might virtually send it and force a system reboot.

There are two ways to restrict this:
configure it so that only allowed users can reboot the system, disable this feature completely.

If you want to restrict this, you must check the /etc/inittab so that the line that includes ctrlaltdel calls shutdown with the -a switch.
The default in Debian includes this switch:

ca:12345:ctrlaltdel:/sbin/shutdown -t1 -a -r now

The -a switch, as the shutdown(8) manpage describes,makes it possible to allow some users to shutdown the system. For this the file /etc/shutdown.allow must be created and the administrator has to include there the name of users which can boot the system. When the three finger salute combination is pressed in a console the program will check if any of the users listed in the file are logged in. If none of them is, shutdown will not reboot the system.
If you want to disable the Ctrl+Alt+Del combination you just need to comment the line with the ctrlaltdel definition in the /etc/inittab.
Remember to run init q after making any changes to the /etc/inittab file for the changes to take effect.

OKRestricting the use of the Magic SysRq key
The Magic SysRq key is a key combination that allows users connected to the system console of a Linux kernel to perform some low-level commands. These low-level commands are sent by pressing simultaneously Alt+SysRq and a command key. The SysRq key in many keyboards is labeled as the Print Screen key.
Since the Etch release, the Magic SysRq key feature is enabled in the Linux kernel to allow console users certain privileges. You can confirm this by checking if the /proc/sys/kernel/sysrq exists and reviewing its value:

$ cat /proc/sys/kernel/sysrq

The default value shown above allows all of the SysRq functions except for the possibility of sending signals to processes. For example, it allow users connected to the console to remount all systems read-only, reboot the system or cause a kernel panic. In all the features are enabled, or in older kernels (earlier than 2.6.12) the value will be just 1.
You should disable this functionality ifaccess to the console is not restricted to authorised users: the console is connected to a modem line, there is easy physical access to the system or it is running in a virtualised environment and other users access the console. To do this edit the /etc/sysctl.conf and add the following lines:

# Disables the magic SysRq key
kernel.sysrq = 0

OKUser authentication: PAM
PAM (Pluggable Authentication Modules) allows system administrators to choose how applications authenticate users. Note that PAM can do nothing unless an application is compiled with support for PAM. Most of the applications that are shipped with Debian have this support built in (Debian did not have PAM support before 2.2). The current default configuration for any PAM-enabled service is to emulate UNIX authentication (read /usr/share/doc/libpam0g/Debian-PAM-MiniPolicy.gz for more information on how PAM services should work in Debian).
Each application with PAM support provides a configuration file in /etc/pam.d/ which can be used to modify its behavior:

what backend is used for authentication.

what backend is used for sessions.

how do password checks behave.

The following description is far from complete, for more information you might want to read the Linux-PAM Guides as a reference. This documentation is available in the system if you install the libpam-doc at /usr/share/doc/libpam-doc/html/.
PAM offers you the possibility to go through several authentication steps at once, without the user´s knowledge. You could authenticate against a Berkeley database and against the normal passwd file, and the user only logs in if the authentication succeeds in both. You can restrict a lot with PAM, just as you can open your system doors very wide. So be careful. A typical configuration line has a control field as its second element. Generally it should be set to requisite, which returns a login failure if one module fails.
More about PAM:, chapter 4.11

OKUser login actions: edit /etc/login.defs (make a backup, before doing this!)
The next step is to edit the basic configuration and action upon user login. Note that this file is not part of the PAM configuration, it´s a configuration file honored by login and su programs, so it doesn´t make sense tuning it for cases where neither of the two programs are at least indirectly called (the getty program which sits on the consoles and offers the initial login prompt does invoke login).


If you enable this variable, failed logins will be logged. It is important to keep track of them to catch someone who tries a brute force attack.


If you set this variable to ´yes´ it will record unknown usernames if the login failed. It is best if you use ´no´ (the default) since, otherwise, user passwords might be inadvertenly logged here (if a user mistypes and they enter their password as the username). If you set it to ´yes´, make sure the logs have the proper permissions (640 for example, with an appropriate group setting such as adm).


This one enables logging of su attempts to syslog. Quite important on serious machines but note that this can create privacy issues as well.


The same as SYSLOG_SU_ENAB but applies to the sg program.


As stated above, encrypted passwords greatly reduce the problem of dictionary attacks, since you can use longer passwords. This definition has to be consistent with the value defined in /etc/pam.d/common-password.

OKUser login actions: edit /etc/pam.d/login (make a backup, before doing this!)
You can adjust the login configuration file to implement an stricter policy. For example, you can change the default configuration and increase the delay time between login prompts. The default configuration sets a 3 seconds delay:

auth optional delay=3000000

Increasing the delay value to a higher value to make it harder to use the terminal to log in using brute force. If a wrong password is typed in, the possible attacker (or normal user!) has to wait longer seconds to get a new login prompt, which is quite time consuming when you test passwords. For example, if you set delay=10000000, users will have to wait 10 seconds if they type a wrong password.

In this file you can also set the system to present a message to users before a user logs in. The default is disabled, as shown below:

# auth required issue=/etc/issue

If required by your security policy, this file can be used to show a standard message indicating that access to the system is restricted and user acess is logged. This kind of disclaimer might be required in some environments and jurisdictions. To enable it, just include the relevant information in the /etc/issue [24] file and uncomment the line enabling the module in /etc/pam.d/login. In this file you can also enable additional features which might be relevant to apply local security policies such as:

setting rules for which users can access at which times, by enabling the module and configuring /etc/security/time.conf accordingly (disabled by default),

setup login sessions to use user limits as defined in /etc/security/limits.conf (enabled by default),

present the user with the information of previous login information (enabled by default),

print a message (/etc/motd and /run/motd.dynamic) to users after login in (enabled by default),

OKRestricting ftp: editing /etc/ftpusers (make a backup, before doing this!)
The /etc/ftpusers file contains a list of users who are not allowed to log into the host using ftp. Only use this file if you really want to allow ftp (which is not recommended in general, because it uses clear-text passwords). If your daemon supports PAM, you can also use that to allow and deny users for certain services.
A convenient way to add all system accounts to the /etc/ftpusers is to run

$ awk -F : ´{if ($3<1000) print $1}´ /etc/passwd > /etc/ftpusers

OKDisallow remote administrative access
You should also modify /etc/security/access.conf to disallow remote logins to administrative accounts. This way users need to invoke su (or sudo) to use any administrative powers and the appropriate audit trace will always be generated.
You need to add the following line to /etc/security/access.conf, the default Debian configuration file has a sample line commented out (making your system mouseclick-fast; do not forget to make a backup of this file, before doing this!).
As already described commented in in /etc/security/access.conf, for root and system user and user:

# User "root" should be denied to get access from all other sources.
- : root : ALL
- : user : ALL
- : surfuser :
- : toruser :
- : uuidd : ALL
- . messagebus: ALL
- : ftp : ALL
- : mail : ALL
- : pop3ad : ALL
- : bin : ALL
- : daemon : ALL
- : adm : ALL
- : sync : ALL
- : halt : ALL
- : news : ALL
# All other users should be denied to get access from all sources.

Look out for other important options in this file too. Remember to enable the pam_access module for every service (or default configuration) in /etc/pam.d/ if you want your changes to /etc/security/access.conf honored.

OKConfiguring syncookies
This option is a double-edged sword. On the one hand it protects your system against syn packet flooding; on the other hand it violates defined standards (RFCs).

net/ipv4/tcp_syncookies = 1

If you want to change this option each time the kernel is working you need to change it in /etc/network/options by setting syncookies=yes. This will take effect when ever /etc/init.d/networking is run (which is typically done at boot time) while the following will have a one-time effect until the reboot:

echo 1 > /proc/sys/net/ipv4/tcp_syncookies # e.g. within /etc/rc.local

This option will only be available if the kernel is compiled with the CONFIG_SYNCOOKIES. All Debian kernels are compiled with this option builtin but you can verify it running:

$ sysctl -A |grep syncookies
net/ipv4/tcp_syncookies = 1

For more information on TCP syncookies read

Disabling weak-end hosts issues
Systems with more than one interface on different networks can have services configured so that they will bind only to a given IP address. This usually prevents access to services when requested through any other address. However, this does not mean (although it is a common misconception) that the service is bound to a given hardware address (interface card).
This is not an ARP issue and it´s not an RFC violation (it´s called weak end host in RFC1122, section Remember, IP addresses have nothing to do with physical interfaces.
On 2.2 (and previous) kernels this can be fixed with:

# echo 1 > /proc/sys/net/ipv4/conf/all/hidden
# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden
# echo 1 > /proc/sys/net/ipv4/conf/eth1/hidden

..... On later kernels this can be fixed either with:

iptables rules.

properly configured routing.

kernel patching.

Along this text there will be many occasions in which it is shown how to configure some services (sshd server, apache, printer service...) in order to have them listening on any given address, the reader should take into account that, without the fixes given here, the fix would not prevent accesses from within the same (local) network.

OKUsing tcpwrappers
TCP wrappers were developed when there were no real packet filters available and access control was needed. Nevertheless, they´re still very interesting and useful. The TCP wrappers allow you to allow or deny a service for a host or a domain and define a default allow or deny rule (all performed on the application level). If you want more information take a look at hosts_access(5).
Many services installed in Debian are either:

launched through the tcpwrapper service (tcpd)

compiled with libwrapper support built-in.

On the one hand, for services configured in /etc/inetd.conf (this includes telnet, ftp, netbios, swat and finger) you will see that the configuration file executes /usr/sbin/tcpd first. On the other hand, even if a service is not launched by the inetd superdaemon, support for the tcp wrappers rules can be compiled into it. Services compiled with tcp wrappers in Debian include ssh, portmap,, rpc.statd, rpc.mountd, gdm, oaf (the GNOME activator daemon), nessus and many others.

To see which packages use tcpwrappers [31] try:

$ apt-cache rdepends libwrap0

Take this into account when running tcpdchk (a very useful TCP wrappers config file rule and syntax checker). When you add stand-alone services (that are directly linked with the wrapper library) into the hosts.deny and hosts.allow files, tcpdchk will warn you that it is not able to find the mentioned services since it only looks for them in /etc/inetd.conf (the manpage is not totally accurate here).

Now, here comes a small trick, and probably the smallest intrusion detection system available. In general, you should have a decent firewall policy as a first line, and tcp wrappers as the second line of defense. One little trick is to set up a SPAWN command in /etc/hosts.deny that sends mail to root whenever a denied service triggers wrappers:

echo -e "n
TCP Wrappers: Connection refusedn
By: $(uname -n)n
Process: %d (pid %p)n
User: %un
Host: %cn
Date: $(date)n
" | /usr/bin/mail -s "Connection to %d blocked" root) &

Beware: The above printed example is open to a DoS attack by making many connections in a short period of time. Many emails mean a lot of file I/O by sending only a few packets.

OKProtecting against ARP attacks
When you don´t trust the other boxes on your LAN (which should always be the case, because it´s the safest attitude) you should protect yourself from the various existing ARP attacks.
As you know the ARP protocol is used to link IP addresses to MAC addresses (see RFC826 for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then if the IP isn´t present in the cache by broadcasting an ARP query) to find the target´s hardware address. All the ARP attacks aim to fool your box into thinking that box B´s IP address is associated to the intruder´s box´s MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder´s box...
Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as arpspoof from the dsniff package or arpoison.
However, there is always a solution:
Use a static ARP cache. You can set up "static" entries in your ARP cache with:

arp -s host_name hdwr_addr

By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don´t expire and can´t be modified) and spoofed ARP replies will be ignored. Detect suspicious ARP traffic. You can use arpwatch, karpski or more general IDS that can also detect suspicious ARP traffic (snort, prelude...).
Implement IP traffic filtering validating the MAC address.

OKSecuring FTP
If you really have to use FTP (without wrapping it with sslwrap or inside a SSL or SSH tunnel), you should chroot ftp into the ftp users´ home directory, so that the user is unable to see anything else than their own directory. Otherwise they could traverse your root file system just like if they had a shell in it. You can add the following line in your proftpd.conf in your global section to enable this chroot feature:

DefaultRoot ~

Restart ProFTPd by /etc/init.d/proftpd restart and check whether you can escape from your homedir now.
To prevent ProFTPd DoS attacks using ../../.., add the following line in /etc/proftpd.conf: DenyFilter *.*/
Always remember that FTP sends login and authentication passwords in clear text (this is not an issue if you are providing an anonymous public service) and there are better alternatives in Debian for this. For example, sftp (provided by ssh). There are also free implementations of SSH for other operating systems: putty and cygwin for example.
However, if you still maintain the FTP server while making users access through SSH you might encounter a typical problem. Users accessing anonymous FTP servers inside SSH-secured systems might try to log in the FTP server. While the access will be refused, the password will nevertheless be sent through the net in clear form. To avoid that, ProFTPd developer TJ Saunders has created a patch that prevents users feeding the anonymous FTP server with valid SSH accounts. More information and patch available at: ProFTPD Patches. This patch has been reported to Debian too, see Bug #145669.

OKBoot-break kernel or haldaemon (hal, hald)?
The kernel (in our case 5.4.110 resp. 4.20.13) or haldaemon resp. hal from Mandriva-derivates as much as CentOS 6 is an enormous system-boot- and -shutdown-break "making more or less a pause" of around 30 up to 45 seconds during the system boot resp. -shutdown.
Configuration of hal:

<!-- This configuration file controls the Hardware Abstraction Layer
daemon - it is meant that OS vendors customize this file to reflect
their desired policy.


<!-- If true, then the device list is saved to disk such that
properties are kept between invocations of hald.

<!-- Default value for storage.media_check_enabled for devices of
capability storage - this can be overridden by .fdi files.

Setting this to false results a whitelist policy, e.g. media
check is only enabled for storage devices with a .fdi file
saying so.

Conversely, setting it to true results in a blacklist policy
where media check is enabled by default but may be overridden
by a .fdi for devices causing trouble.

<!-- Default value for storage.automount_enabled_hint for devices of
capability storage - this can be overridden by .fdi files.

Setting this to false results a whitelist policy, e.g. policy
agents should only automount storage devices with a .fdi file
saying so.

Conversely, setting it to true results in a blacklist policy
where policy agents should always automount unless this is
explicitly overridden by .fdi for devices causing trouble.

As of 2011, Linux distributions such as Ubuntu,[5] Debian,[6] and Fedora and on FreeBSD,[7] and projects such as KDE,[8] GNOME and are in the process of deprecating HAL as it has "become a large monolithic unmaintainable mess".[5] The process is largely complete, but some use of HAL remains - Debian squeeze (Feb 2011) and Ubuntu version 10.04 remove HAL from the basic system and boot process.[9] In Linux, it is in the process of being merged into udev (main udev, libudev, and udev-extras) and existing udev and kernel functionality. The replacement for non-Linux systems such as FreeBSD is devd.
Initially a new daemon DeviceKit was planned to replace certain aspects of HAL, but in March 2009, DeviceKit was deprecated in favor of adding the same code to udev as a package: udev-extras, and some functions have now moved to udev proper.

Disabling useless daemons in RHEL/Centos/Oracle 6 servers
HAL provides valuable attack surfaces to attackers as an intermediary to privileged operations and should be disabled unless necessary: # chkconfig haldaemon off.
The hald - Hardware Access Layer Daemon - runs several processes in order to keep track of what hardware is installed on your system. This includes polling USB Drives and ´hot-swap´ devices to check for changes along with a host of other tasks.
You might see it running on your system as follows:
2474 ? S 0:00 \_ hald-runner
2481 ? S 0:00 \_ hald-addon-acpi: listening on acpid socket /var/run/acpid.socket
2487 ? S 0:00 \_ hald-addon-keyboard: listening on /dev/input/event0
2495 ? S 41:47 \_ hald-addon-storage: polling /dev/hdc

If your system is static and the devices do not change, you can actually disable this service using a policy entry.
Create a file in your policy directory, for example /etc/hal/fdi/policy/99-custom.fdi. Add the text:


Save and reload the hald using /etc/init.d/haldaemon restart.
And you will find that service no longer is polling your hardware.
Of course to turn it back on, remove that policy entry and restart the haldaemon again, it will be back in service.
Solution Credit: Linuxforums User cn77

udev-Regel für PS/2-mouse (optical mouse from Logitech®)

... results from &quto;udevadm info -a -p /devices/platform/i8042/serio1/input/input12"

KERNEL=="input12" SUBSYSTEM=="input" DRIVER=="" ATTR{uniq}=="" ATTR{properties}=="1" ATTR{phys}=="isa0060/serio1/input0" ATTR{name}=="ImExPS/2 Logitech Wheel Mouse" ATTR{modalias}=="input:b0011v0002p0006e0063-e0,1,2,k110,111,112,113,114,r0,1,6,8,amlsfw"
KERNELS=="serio1" SUBSYSTEMS=="serio" DRIVERS=="psmouse" ATTRS{resetafter}=="5" ATTRS{resolution}=="200" ATTRS{description}=="i8042 AUX port" ATTRS{firmware_id}=="PNP: PNP0f03 PNP0f13" ATTRS{protocol}=="ImExPS/2" ATTRS{rate}=="100" ATTRS{bind_mode}=="auto" ATTRS{resync_time}=="0" ATTRS{modalias}=="serio:ty01pr00id00ex00"

OKSecure up RPC-services
Deactivate RPC abschalten (or deinstall it), if not needed.

The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers.

OKtcp_wrapper for server

With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other network services.
It supports both 4.3BSD-style sockets and System V.4-style TLI. Praise yourself lucky if you don´t know what that means.
The package provides tiny daemon wrapper programs that can be installed without any changes to existing software or to existing configuration files. The wrappers report the name of the client host and of the requested service; the wrappers do not exchange information with the client or server applications, and impose no overhead on the actual conversation between the client and server applications.
Optional features are: access control to restrict what systems can connect to what network daemons; client user name lookups with the RFC 931 etc. protocol; additional protection against hosts that pretend to have someone elses host name; additional protection against hosts that pretend to have someone elses host address.

OKSecuring Squid
Squid is one of the most popular proxy/cache server, and there are some security issues that should be taken into account. Squid´s default configuration file denies all users requests. However the Debian package allows access from ´localhost´, you just need to configure your browser properly. You should configure Squid to allow access to trusted users, hosts or networks defining an Access Control List on /etc/squid/squid.conf, see the Squid User´s Guide for more information about defining ACLs rules. Notice that Debian provides a minimum configuration for Squid that will prevent anything, except from localhost to connect to your proxy server (which will run in the default port 3128). You will need to customize your /etc/squid/squid.conf as needed. The recommended minimum configuration (provided with the package) is shown below:

acl all src
acl manager proto cache_object
acl localhost src
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
X11-Server acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl Safe_ports port 901 # SWAT
acl purge method PURGE
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Only allow purge requests from localhost
http_access allow purge localhost
http_access deny purge
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
# And finally deny all other access to this proxy
http_access deny all
# icp_access deny all
#Allow ICP queries from everyone
icp_access allow all

You should also configure Squid based on your system resources, including cache memory (option cache_mem), location of the cached files and the amount of space they will take up on disk (option cache_dir).
Notice that, if not properly configured, someone may relay a mail message through Squid, since the HTTP and SMTP protocols are designed similarly. Squid´s default configuration file denies access to port 25. If you wish to allow connections to port 25 just add it to Safe_ports lists. However, this is NOT recommended.
Setting and configuring the proxy/cache server properly is only part of keeping your site secure. Another necessary task is to analyze Squid´s logs to assure that all things are working as they should be working. There are some packages in Debian GNU/Linux that can help an administrator to do this. The following packages are available in Debian 3.0 and Debian 3.1 (sarge):

calamaris - Log analyzer for Squid or Oops proxy log files.
modlogan - A modular logfile analyzer.
sarg - Squid Analysis Report Generator.
squidtaild - Squid log monitoring program.

When using Squid in Accelerator Mode it acts as a web server too. Turning on this option increases code complexity, making it less reliable. By default Squid is not configured to act as a web server, so you don´t need to worry about this. Note that if you want to use this feature be sure that it is really necessary. To find more information about Accelerator Mode on Squid see the Squid User´s Guide - Accelerator Mode

OKSecuring printing access (the lpd and lprng issue)
Imagine, you arrive at work, and the printer is spitting out endless amounts of paper because someone is DoSing your line printer daemon. Nasty, isn´t it?
In any UNIX printing architecture, there has to be a way to get the client´s data to the host´s print server. In traditional lpr and lp, the client command copies or symlinks the data into the spool directory (which is why these programs are usually SUID or SGID).
In order to avoid any issues you should keep your printer servers especially secure. This means you need to configure your printer service so it will only allow connections from a set of trusted servers. In order to do this, add the servers you want to allow printing to your /etc/hosts.lpd.
However, even if you do this, the lpr daemon accepts incoming connections on port 515 of any interface. You should consider firewalling connections from networks/hosts which are not allowed printing (the lpr daemon cannot be limited to listen only on a given IP address).
Lprng should be preferred over lpr since it can be configured to do IP access control. And you can specify which interface to bind to (although somewhat weirdly).
If you are using a printer in your system, but only locally, you will not want to share this service over a network. You can consider using other printing systems, like the one provided by cups or PDQ which is based on user permissions of the /dev/lp0 device.
In cups, the print data is transferred to the server via the HTTP protocol. This means the client program doesn´t need any special privileges, but does require that the server is listening on a port somewhere.
However, if you want to use cups, but only locally, you can configure it to bind to the loopback interface by changing /etc/cups/cupsd.conf:

Listen # This might not work! To go sure: Port 631 and Listen /var/run/cups/cups.sock

There are many other security options like allowing or denying networks and hosts in this config file. However, if you do not need them you might be better off just limiting the listening port. Cups also serves documentation through the HTTP port, if you do not want to disclose potential useful information to outside attackers (and the port is open) add also:

>Location /<
Order Deny,Allow
Deny From All
Allow From # or try "Allow @LOCAL"

This configuration file can be modified to add some more features including SSL/TLS certificates and crypto. The manuals are available at http://localhost:631/ or at
FIXME: Add more content (the article on Amateur Fortress Building provides some very interesting views).
FIXME: Check if PDG is available in Debian, and if so, suggest this as the preferred printing system.
FIXME: Check if Farmer/Wietse has a replacement for printer daemon and if it´s available in Debian.

OKSecuring SSH, mail-service, BIND, Apache, Finger and deactivate NIS

OKAdministrate the services with systemd since year 2013 or by chkconfig
/etc/rc.local for each boot still is not registrated, so it still might not be executed, maybe the same for ip6tables and iptables. For this purpose create rc.local in /etc/init.d (by overwriting it with /etc/init.d/linfw3 for example) to change the include of previous daemon linfw3, now rc.local in /etc/init.d up to the following: start() "sh /etc/init.d/rc.local", unneeded variables removed and without stop() and restart(). Set a new chkconfig-number in the commented in line at the beginning.
To be careful, registrate the service: "chkconfig --add rc.local".
Generally, using this command, all services get visible in MCC -> service administration.
Set the hooks to activate the needed ones only or set the runlevel 0 up to 6 for each new service manually, almost like 0-OFF 1-OFF 2-OFF 3-ON 4-ON 5-ON 6-OFF.
Notice, that all runlevel-init-scripts out of /etc/init.d/ and /etc/rcX.d can also get started (start), restarted (restart) and stopped (stop) for MDV and el6 and many other distributions manually by a command like:
"sh /etc/init.d/linfw3 start".

Start of the database server mysqld (el6.remi): like rc.local above, but the bind-address has to be commented in /etc/my.cnf.
Reverse-Proxy daemon (init-script) nginx (el6): like rc.local above too, but before you do this, copy "cp -axf /usr/lib/perl5/ /usr/local/share/perl5&quto; and "cp -axf /usr/lib/perl5/warnings* /usr/local/share/perl5/".
Apache webserver daemon httpd (el6): like rc.local above, but modules have to be configured well, eventually remove them.
Print server daemon: cups (pclos)
LAN-server resp. - clients: samba-... (el6); samba is not required for single pc-workstations connected with a DSL-router

But before these init-scripts get started, configure the server in their own configuration-files in /etc ! ...

Detailed includes of /etc/rc.local and one more script in /usr/sbin for ACL-access-rights are listed further below. Both will be started as runlevel-init-scripts (daemons) each boot out of /etc/init.d .

OKImportant access-rights each system-boot, meaning of UNIX/Linux-groups
Files and directories with unrestricted access-rights can be found out, even without root-rights:
The command

find / -path /proc -prune -o -type f -perm 666

finds all files within the complete file-system except within "/proc", that can be read and overwritten (write). The next one,

find / -path /proc -prune -o -type f -perm 777

lists all such files, that are executable too.

find / -path /proc -prune -o -type d -perm 777

finds directores, that are ready for read and write.

Instead of giving directorese and files the full access rights (chmod 777), it is the better to use groups for the common used files by the command

chgrp [-R] [group] [file/Directory]

777 ->, 770, 775 -> 770, 755 ->, 750, 641 ->, 640 usw.

For this, at least following user should belong to the group of root: standard group root, uuid, lp, lpadmin, tty, user and toruser.

Be a little bit careful with this! We almost resign from this assignment of users to the group of root in main in future, but whoever wants can try to restrict even more the access rights this way...

OKchgrp changes the group of directories and files. For the full access by different user and groups only the access-right 770 for directories and 660 for files have to be set only..

OKImportant access-rights set each system boot
chown root:root / # Notice: It would be much better to enter all chown and chmod here in /etc/ and in the adequate form there only!
chown root:root /* # -> /etc/
chmod 700 -R /etc/init.d
chmod 700 -R /etc/rc0.d
chmod 700 -R /etc/rc1.d
chmod 700 -R /etc/rc2.d
chmod 700 -R /etc/rc3.d
chmod 700 -R /etc/rc4.d
chmod 700 -R /etc/rc5.d
chmod 700 -R /etc/rc6.d
chmod 400 /etc/shadow*
chmod 400 path_to_encrypted_key_file_for_LUKS_encrypted_partitions

Also set in /etc/permissions.local "/usr/sbin/suexec root:root 0755" (instead of 4755) ! In order to gain a first, short overview for more access-rights within /etc/rc.local set each boot ( for a second we are going to list them more in detail soon ). They do not make the system working only secure, they also do let work it mouseclick-fast :

chmod 111 /# Notice: It would be much better to enter all chown and chmod here in /etc/ and in the adequate form there only!
chmod 755 /usr # 755 needed for caffeine only, else 751
chmod 751 /bin
chmod 751 /var # resp. 750, if user belongs to the group of root
chmod 751 /sbin
chmod 751 /lib64
chmod 751 /usr/lib64
# chmod 751 -R /usr/lib64/python2.6
# chmod 751 -R /usr/lib/python2.6 # shall have got the same include as /usr/lib64/python2.6
chmod 751 /usr/lib64/kde4
chmod 751 /etc # resp. chmod 750, if the groups listed above belong to root, same for /opt and /var, but we won&#t follow this in future.
chmod 755 /etc/* # resp.chmod 750, if the groups listed above belong to root, same for /opt and /var, but we won&#t follow this in future.
chmod 755 /etc/bashrc
chmod 755 -R /etc/font*
chmod 755 /etc/group
chmod 755 /etc/nsswitch.conf
chmod 755 /etc/
chmod 755 -R /etc/pango*
chmod 755 /etc/sysconfig/network
chmod 755 /etc/sysconfig/network-scripts
chmod 700 -R /etc/init.d
chmod 700 -R /etc/rc0.d
chmod 700 -R /etc/rc1.d
chmod 700 -R /etc/rc2.d
chmod 700 -R /etc/rc3.d
chmod 700 -R /etc/rc4.d
chmod 700 -R /etc/rc5.d
chmod 700 -R /etc/rc6.d
chown root:shadow /etc/shadow*
chmod 400 /etc/shadow*
chown root:root /etc/passwd*
chmod 644 /etc/passwd*
chown root:root /etc/fstab*
chmod 400 /etc/fstab*
chown root:root /etc/crypttab*
chmod 700 /etc/crypttab*
chown root:root /etc/mtab*
chmod 700 /etc/mtab*
chown root:root /etc/hosts
chmod 644 /etc/hosts
chown root:root /etc/mtab* chmod 644 /etc/mtab* # chmod 700: kdf arbeitet nicht
chown root:root /etc/login.defs
chmod 755 /etc/login.defs
chmod 755 -R /etc/firejail
chmod 755 -R /etc/xdg*
chmod 755 -R /etc/resolv.conf
chown root:root -R /etc/modprobe*
chmod 700 -R /etc/modprobe*
chmod 751 /opt # resp. 750, if user belongs to the group of root
chmod 751 /lib
chmod 700 /root
chmod 700 -R /etc/init.d
chmod 751 /initrd
chmod 751 /misc
chmod 700 -R /boot-save
chown root:root /usr/bin
chown root:root /usr/sbin
chown root:root /usr/lib64
chown root:root /usr/lib
chown root:root /usr/libexec
chown root:root /usr/share
chown root:root /root
chmod 700 /usr/bin/xterm # terminals (except your favorite one)
chmod 700 /usr/bin/aterm
chmod 700 /usr/bin/byobu*
chmod 700 /usr/bin/terminator*
chmod 700 /usr/bin/quadkonsole*
chmod 700 /usr/bin/lxterminal*
chmod 700 /usr/bin/yakuake*
chmod 700 /usr/bin/aterm
chmod 700 /usr/bin/multi-aterm
chmod 700 /usr/bin/tcsh*
chmod 700 /usr/bin/rxvt*
chown root:firejail /usr/bin/firejail
chmod 04750 /usr/bin/firejail # For this, surfuser must be a member of the primary group named firejail of firejail !
chmod 644 /etc/passwd
chmod 644 /etc/security/msec/*.secure
chmod 711 /home
chmod 700 /home/user
chmod 700 /home/surfuser
chmod 700 /home/uuidd
chmod 700 /home/toruser
chmod 700 -R /home/user/Dokumente

OK# from permissions (OpenSuSE, chkstat), level: secure with some changes
/ root:root 111
/root/ root:root 700
/tmp/ root:root 1777
/tmp/.X11-unix/ root:root 1777
/tmp/.ICE-unix/ root:root 1777
/dev/ root:root 755
/bin/ root:root 751
/sbin/ root:root 751
/lib/ root:root 751
/etc/ root:root 751
/home/ root:root 711
/boot/ root:root 755
/opt/ root:root 751
/usr/ root:root 755
/usr/local root:root 755
# /var:

/var/tmp/ root:root 1777
/var/log/ root:root 755
/var/spool/ root:root 755
/var/spool/mqueue/ root:root 700
/var/spool/news/ news:news 775
/var/spool/voice/ root:root 755
/var/spool/mail/ root:root 1777
/var/adm/ root:root 755
/var/adm/backup/ root:root 700
/var/cache/ root:root 755
/var/cache/man/ man:root 755
/var/run/nscd/socket root:root 666
/run/nscd/socket root:root 666
/var/run/sudo/ root:root 700
/run/sudo/ root:root 700

# login tracking
/var/log/lastlog root:root 644
/var/log/faillog root:root 600
/var/log/wtmp root:utmp 664
/var/log/btmp root:utmp 600
/var/run/utmp root:utmp 664
/run/utmp root:utmp 664

# some device files

/dev/zero root:root 666
/dev/null root:root 666
/dev/full root:root 666
/dev/ip root:root 660
/dev/initrd root:disk 660
/dev/kmem root:kmem 640

# /etc
/etc/lilo.conf root:root 600
/etc/passwd root:root 644
/etc/shadow root:shadow 400
/etc/init.d/ root:root 755
/etc/hosts root:root 644
# Changing the hosts_access(5) files causes trouble with services
# that do not run as root!
/etc/hosts.allow root:root 644
/etc/hosts.deny root:root 644
/etc/hosts.equiv root:root 644
/etc/hosts.lpd root:root 644
/etc/ root:root 644
/etc/ root:root 644

/etc/opiekeys root:root 600

/etc/ppp/ root:root 750
/etc/ppp/chap-secrets root:root 600
/etc/ppp/pap-secrets root:root 600

# sysconfig files:
/etc/sysconfig/network/providers/ root:root 700

# utempter
/usr/lib/utempter/utempter root:utmp 2755

# ensure correct permissions on ssh files to avoid sshd refusing
# logins (bnc#398250)
/etc/ssh/ssh_host_key root:root 600
/etc/ssh/ root:root 644
/etc/ssh/ssh_host_dsa_key root:root 600
/etc/ssh/ root:root 644 /etc/ssh/ssh_host_rsa_key root:root 600
/etc/ssh/ root:root 644
/etc/ssh/ssh_config root:root 644
/etc/ssh/sshd_config root:root 640

# legacy
# new traceroute program by Olaf Kirch does not need setuid root any more.
/usr/sbin/traceroute root:root 755

# games:games 775 safe as long as we don´t change files below it (#103186)
# still people do it (#429882) so root:root 755 is the consequence.
/var/games/ root:root 0755

# No longer common. Set setuid bit yourself if you need it
# (#66191)
#/usr/bin/ziptool root:trusted 0755

# udev static devices (#438039)
/lib/udev/devices/net/tun root:root 0666
/lib/udev/devices/null root:root 0666
/lib/udev/devices/ptmx root:tty 0666
/lib/udev/devices/tty root:tty 0666
/lib/udev/devices/zero root:root 0666

# named chroot (#438045)
/var/lib/named/dev/null root:root 0666
/var/lib/named/dev/random root:root 0666

# opiesu is not allowed setuid root as code quality is bad (bnc#882035)
/usr/bin/opiesu root:root 0755

# we no longer make rpm build dirs 1777
/usr/src/packages/SOURCES/ root:root 0755
/usr/src/packages/BUILD/ root:root 0755
/usr/src/packages/BUILDROOT/ root:root 0755
/usr/src/packages/RPMS/ root:root 0755
/usr/src/packages/RPMS/alphaev56/ root:root 0755
/usr/src/packages/RPMS/alphaev67/ root:root 0755
/usr/src/packages/RPMS/alphaev6/ root:root 0755
/usr/src/packages/RPMS/alpha/ root:root 0755
/usr/src/packages/RPMS/amd64/ root:root 0755
/usr/src/packages/RPMS/arm4l/ root:root 0755
/usr/src/packages/RPMS/armv4l/ root:root 0755
/usr/src/packages/RPMS/armv5tejl/ root:root 0755
/usr/src/packages/RPMS/armv5tejvl/ root:root 0755
/usr/src/packages/RPMS/armv5tel/ root:root 0755
/usr/src/packages/RPMS/armv5tevl/ root:root 0755
/usr/src/packages/RPMS/armv6l/ root:root 0755
/usr/src/packages/RPMS/armv6vl/ root:root 0755
/usr/src/packages/RPMS/armv7l/ root:root 0755
/usr/src/packages/RPMS/athlon/ root:root 0755
/usr/src/packages/RPMS/geode/ root:root 0755
/usr/src/packages/RPMS/hppa2.0/ root:root 0755
/usr/src/packages/RPMS/hppa/ root:root 0755
/usr/src/packages/RPMS/i386/ root:root 0755
/usr/src/packages/RPMS/i486/ root:root 0755
/usr/src/packages/RPMS/i586/ root:root 0755
/usr/src/packages/RPMS/i686/ root:root 0755
/usr/src/packages/RPMS/ia32e/ root:root 0755
/usr/src/packages/RPMS/ia64/ root:root 0755
/usr/src/packages/RPMS/mips/ root:root 0755
/usr/src/packages/RPMS/noarch/ root:root 0755
/usr/src/packages/RPMS/pentium3/ root:root 0755
/usr/src/packages/RPMS/pentium4/ root:root 0755
/usr/src/packages/RPMS/powerpc64/ root:root 0755
/usr/src/packages/RPMS/powerpc/ root:root 0755
/usr/src/packages/RPMS/ppc64/ root:root 0755
/usr/src/packages/RPMS/ppc/ root:root 0755
/usr/src/packages/RPMS/s390/ root:root 0755
/usr/src/packages/RPMS/s390x/ root:root 0755
/usr/src/packages/RPMS/sparc64/ root:root 0755
/usr/src/packages/RPMS/sparc/ root:root 0755
/usr/src/packages/RPMS/sparcv9/ root:root 0755
/usr/src/packages/RPMS/x86_64/ root:root 0755
/usr/src/packages/SPECS/ root:root 0755
/usr/src/packages/SRPMS/ root:root 0755
# /etc
/etc/crontab root:root 600
/etc/exports root:root 644
/etc/fstab root:root 400
/etc/ftpusers root:root 644
/var/lib/nfs/rmtab root:root 644
/etc/syslog.conf root:root 600
/etc/ssh/sshd_config root:root 600
# we might want to tighten that up in the future in this profile (remove the
# ability for others to read/enter)
/etc/cron.d root:root 755
/etc/cron.daily root:root 755
/etc/cron.hourly root:root 755
/etc/cron.monthly root:root 755
/etc/cron.weekly root:root 755

# suid system programs that need the suid bit to work:
/bin/su root:root 4755
# disable at and cron for users that do not belnong to the group "trusted"
/usr/bin/at root:trusted 0750
/usr/bin/crontab root:trusted 0750
/usr/bin/gpasswd root:shadow 4755
/usr/bin/newgrp root:root 0755
/usr/bin/passwd root:shadow 4755
/usr/bin/chfn root:shadow 4755
/usr/bin/chage root:shadow 0755
/usr/bin/chsh root:shadow 0755
/usr/bin/expiry root:shadow 0755
/usr/bin/sudo root:root 4755
/usr/sbin/su-wrapper root:root 0755
# opie password system
# /usr/bin/opiepasswd root:root 0755
/sbin/mount.nfs root:root 0755
/usr/bin/fusermount root:trusted 4750
# needs setuid root when using shadow via NIS:
/sbin/unix_chkpwd root:shadow 0755
/sbin/unix2_chkpwd root:shadow 0755

# squid changes
/var/cache/squid/ squid:root 0750
/var/log/squid/ squid:root 0750
/usr/sbin/pinger squid:root 0750
+capabilities cap_net_raw=ep
/usr/sbin/basic_pam_auth root:shadow 2750

# still to be converted to utempter /usr/lib/gnome-pty-helper root:utmp 2755

# mixed section: most of it is disabled in this
# video
/usr/bin/v4l-conf root:video 0750

# turned off write and wall by disabling sgid tty:
/usr/bin/wall root:tty 0755
/usr/bin/write root:tty 0755
# thttpd: sgid + executeable only for group www. Useless...
/usr/bin/makeweb root:www 2750
# pcmcia:
# Needs setuid to eject cards (#100120)
/sbin/pccardctl root:trusted 4750
# gnokii nokia cellphone software
# #66209
/usr/sbin/mgnokiidev root:uucp 755
# mailman mailing list software
# #66315
/usr/lib/mailman/cgi-bin/admin root:mailman 2755
/usr/lib/mailman/cgi-bin/admindb root:mailman 2755
/usr/lib/mailman/cgi-bin/edithtml root:mailman 2755
/usr/lib/mailman/cgi-bin/listinfo root:mailman 2755
/usr/lib/mailman/cgi-bin/options root:mailman 2755
/usr/lib/mailman/cgi-bin/private root:mailman 2755
/usr/lib/mailman/cgi-bin/roster root:mailman 2755
/usr/lib/mailman/cgi-bin/subscribe root:mailman 2755
/usr/lib/mailman/cgi-bin/confirm root:mailman 2755
/usr/lib/mailman/cgi-bin/create root:mailman 2755
/usr/lib/mailman/cgi-bin/editarch root:mailman 2755
/usr/lib/mailman/cgi-bin/rmlist root:mailman 2755
/usr/lib/mailman/mail/mailman root:mailman 2755

# libgnomesu (#75823, #175616)
/usr/lib/libgnomesu/gnomesu-pam-backend root:root 4755

# networking (need root for the privileged socket)
/usr/bin/ping root:root 0755
+capabilities cap_net_raw=ep
/usr/bin/ping6 root:root 0755
+capabilities cap_net_raw=ep
# mtr is linked against ncurses. no suid bit, for root only:
/usr/sbin/mtr root:dialout 0750
/usr/bin/rcp root:root 0000
/usr/bin/rlogin root:root 0000
/usr/bin/rsh root:root 0000

# exim
/usr/sbin/exim root:root 0755

# dialup networking programs
/usr/sbin/pppoe-wrapper root:dialout 4750
# i4l package (#100750):
/sbin/isdnctrl root:dialout 4750
# #66111
/usr/bin/vboxbeep root:trusted 0755

# linux text console utilities
# setuid needed on the text console to set the terminal content on ctrl-o
# #66112
/usr/lib/mc/cons.saver root:root 0755

# terminal emulators
# This and future SUSE products have support for the utempter, a small helper
# program that does the utmp/wtmp update work with the necessary rights.
# The use of utempter obsoletes the need for sgid bits on terminal emulator
# binaries. We mention screen here, but all other terminal emulators have
# moved to /etc/permissions, with modes set to 0755.

# needs setuid to access /dev/console
# framebuffer terminal emulator (japanese)
/usr/bin/jfbterm root:tty 0755

# kde
# (all of them are disabled in except for
# the helper programs)
# needs setuid root when using shadow via NIS:
# #66218
/usr/lib/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib64/kde4/libexec/kcheckpass root:shadow 4755
/usr/lib/kde4/libexec/kdesud root:nogroup 2755
/usr/lib64/kde4/libexec/kdesud root:nogroup 2755
/usr/lib/libexec/kf5/kdesud root:nogroup 2755
/usr/lib64/libexec/kf5/kdesud root:nogroup 2755

# bnc#523833
/usr/lib/kde4/libexec/start_kdeinit root:root 4755
/usr/lib64/kde4/libexec/start_kdeinit root:root 4755

# amanda
/usr/sbin/amcheck root:amanda 0750
/usr/lib/amanda/calcsize root:amanda 0750
/usr/lib/amanda/rundump root:amanda 0750
/usr/lib/amanda/planner root:amanda 0750
/usr/lib/amanda/runtar root:amanda 0750
/usr/lib/amanda/dumper root:amanda 0750
/usr/lib/amanda/killpgrp root:amanda 0750

# gnats
/usr/lib/gnats/gen-index gnats:root 4555
/usr/lib/gnats/pr-edit gnats:root 4555
/usr/lib/gnats/queue-pr gnats:root 4555

# news (inn)
# the inn start script changes it´s uid to news:news. Later innbind
# is called by this user. Those programs do not need to be called by
# anyone else, therefore the strange permissions 4554 are required
# for operation. (#67032, #594393)
/usr/lib/news/bin/rnews news:uucp 4550
/usr/lib/news/bin/inews news:news 2555
/usr/lib/news/bin/innbind root:news 4550

# sendfax
# restrictive, only for "trusted" group users:
/usr/lib/mgetty+sendfax/faxq-helper fax:root 4755
/var/spool/fax/outgoing/ fax:root 0755
/var/spool/fax/outgoing/locks fax:root 0755

# uucp
/var/spool/uucppublic/ root:uucp 1770
/usr/bin/uucp uucp:uucp 6555
/usr/bin/uuname uucp:uucp 6555
/usr/bin/uustat uucp:uucp 6555
/usr/bin/uux uucp:uucp 6555
/usr/lib/uucp/uucico uucp:uucp 6555
/usr/lib/uucp/uuxqt uucp:uucp 6555

# pcp (bnc#782967)
/var/lib/pcp/tmp/ root:root 0755
/var/lib/pcp/tmp/pmdabash/ root:root 0755
/var/lib/pcp/tmp/mmv/ root:root 0755
/var/lib/pcp/tmp/pmlogger/ root:root 0755
/var/lib/pcp/tmp/pmie/ root:root 0755

# PolicyKit (#295341)
/usr/lib/PolicyKit/polkit-set-default-helper polkituser:root 4755
/usr/lib/PolicyKit/polkit-read-auth-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-revoke-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-explicit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper root:polkituser 2755
/usr/lib/PolicyKit/polkit-grant-helper-pam root:polkituser 4750

# polkit new (bnc#523377)
/usr/lib/polkit-1/polkit-agent-helper-1 root:root 4755
/usr/bin/pkexec root:root 4755

# dbus-1 (#333361)
/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
# dbus-1 in /usr #1056764)
/usr/lib/dbus-1/dbus-daemon-launch-helper root:messagebus 4750
/usr/lib64/dbus-1/dbus-daemon-launch-helper root:messagebus 4750

# policycoreutils (#440596)
/usr/bin/newrole root:root 0755

# VirtualBox (#429725)
/usr/lib/virtualbox/VirtualBox root:vboxusers 0755
# bsc#1120650
/usr/lib/virtualbox/VirtualBoxVM root:vboxusers 0750
/usr/lib/virtualbox/VBoxHeadless root:vboxusers 0755
/usr/lib/virtualbox/VBoxSDL root:vboxusers 0755
# (bnc#533550)
/usr/lib/virtualbox/VBoxNetAdpCtl root:vboxusers 0755
# bnc#669055
/usr/lib/virtualbox/VBoxNetDHCP root:vboxusers 0755
# bsc#1033425
/usr/lib/virtualbox/VBoxNetNAT root:vboxusers 0755

# open-vm-tools (bnc#474285)
/usr/bin/vmware-user-suid-wrapper root:root 0755

# lockdev (bnc#588325)
/usr/sbin/lockdev root:lock 2755

# hawk (bnc#665045)
/usr/sbin/hawk_chkpwd root:haclient 4750
/usr/sbin/hawk_invoke root:haclient 4750

# chromium (bnc#718016)
/usr/lib/chrome_sandbox root:root 4755

# ecryptfs-utils (bnc#740110)
/sbin/mount.ecryptfs_private root:root 0755

# wireshark (bsc#957624)
/usr/bin/dumpcap root:wireshark 0750
+capabilities cap_net_raw,cap_net_admin=ep

# singularity (bsc#1028304)
# these have been dropped in version 2.4 (see bsc#1111411, comment 4)
#/usr/lib/singularity/bin/expand-suid root:singularity 4750
#/usr/lib/singularity/bin/create-suid root:singularity 4750
#/usr/lib/singularity/bin/export-suid root:singularity 4750
#/usr/lib/singularity/bin/import-suid root:singularity 4750
/usr/lib/singularity/bin/action-suid root:singularity 4750
/usr/lib/singularity/bin/mount-suid root:singularity 4750
/usr/lib/singularity/bin/start-suid root:singularity 4750

/usr/bin/su root:root 4755
/usr/bin/mount root:root 4755
/usr/bin/umount root:root 4755

# cdrecord of cdrtools from Joerg Schilling (bnc#550021)
# in secure mode, no provisions are made for reliable cd burning, as admins
# will have very likely prohibited that anyway.
/usr/bin/cdrecord root:root 755
/usr/bin/readcd root:root 755
/usr/bin/cdda2wav root:root 755

# qemu-bridge-helper (bnc#765948, bsc#988279)
/usr/lib/qemu-bridge-helper root:kvm 04750

# systemd-journal (bnc#888151)
/var/log/journal/ root:systemd-journal 2755

#iouyap (bnc#904060)
/usr/lib/iouyap root:iouyap 0750

# radosgw (bsc#943471)
/usr/bin/radosgw root:www 0750
+capabilities cap_net_bind_service=ep

# gstreamer ptp (bsc#960173)
/usr/lib/gstreamer-1.0/gst-ptp-helper root:root 0755
+capabilities cap_net_bind_service=ep

# suexec is only secure if the document root doesn´t contain files
# writeable by wwwrun. Make sure you have a safe server setup
# before setting the setuid bit! See also
# You need to override this in permissions.local.
# suexec2 is a symlink for now, leave as-is
/usr/sbin/suexec root:root 0755

# newgidmap / newuidmap (bsc#979282, bsc#1048645)
/usr/bin/newgidmap root:shadow 4755
/usr/bin/newuidmap root:shadow 4755

# kwayland (bsc#1062182)
/usr/bin/kwin_wayland root:root 0755
+capabilities cap_sys_nice=ep

# gvfs (bsc#1065864)
/usr/lib/gvfs/gvfsd-nfs root:root 0755

# icinga2 (bsc#1069410)
/run/icinga2/cmd icinga:icingagmd 2750

# fping (bsc#1047921)
/usr/sbin/fping root:root 0755
+capabilities cap_net_raw=ep

# usbauth (bsc#1066877)
/usr/bin/usbauth-npriv root:usbauth 04750
/usr/lib/usbauth-notifier root:usbauth-notifier 0750
/usr/lib/usbauth-notifier/usbauth-notifier root:usbauth 02755

# spice-gtk (bsc#1101420)
/usr/bin/spice-client-glib-usb-acl-helper root:kvm 04750

# smc-tools (bsc#1102956)
/usr/lib/ root:root 04755
/usr/lib64/ root:root 04755

# lxc (bsc#988348)
/usr/lib/lxc/lxc-user-nic root:kvm 04750

# firejail (bsc#1059013) /usr/bin/firejail root:firejail 04750 # For this, surfuser must be member of the primary group named firejail of firejail !

# authbind (bsc#1111251)
/usr/lib/authbind/helper root:root 04755

# fuse3 (bsc#1111230)
/usr/bin/fusermount3 root:trusted 04750

# 389-ds (bsc#1111564)
/usr/sbin/ns-slapd root:dirsrv 0750
/ root:root 111
/home root:root 711
/home/user user:user 700
/home/surfuser surfuser:surfuser 700
/home/toranonym toruser:torgroup 700
/usr/src root:root 700
/usr/lib64 root:root 751
/usr/lib64/kde4 root:root 751
/usr root:root 755
/bin root:root 751
/sbin root:root 751
/lib64 root:root 751
/lib root:root 751
/root root:root 700
/initrd root:root 751
/misc root:root 751
/boot-save root:root 000
/usr/games root:root 751
/net root:root 751
/secoff root:root 710
/sid-root root:root 700
/srv root:root 751
/sys root:root 751
/var root:root 751
/mnt root:root 755
/media root:root 711
/initrd root:root 751
/etc/security/msec/*.secure root:root 751
/usr/local root:root 755
/usr/local/Brother root:root 755
/GenuineIntel.bin root:root 710
/Module.symvers root:root 751
/usr/lib/cups root:sys 755
/usr/share/cups root:sys 755
/etc/cups root:sys 755
/smack root:root 700
/usr/share root:root 755
/usr/share/* root:root 755
/usr/libexec root:root 751
/usr/libexec/* root:root 755
/usr/lib64/kde4 root:root 751
/home/user/Dokumente user:user 700
/home/user/Dokumente/* user:user 700
/home/user/.kde4 user:user 700
/home/user/.kde4/* user:user 700
/home/user/.kde4/share/apps/kmail/mail user:user 700
/home/user/.kde4/share/apps/kmail/mail/*/*/* user:user 700
/home/surfuser/.mozilla surfuser:surfuser 100
/var/cache root:root 755
/var/cache/cups root:sys 775
/var/cache/cups/ppds.dat lp:sys 755
/var/cache/cups/job.cache root:sys 755
/var/cache/cups/help.index lp:sys 755
/var/cache/pdnsd pdnsd:pdnsd 755
/var/cache/pdnsd/pdnsd.cache pdnsd:pdnsd 755
/var/cache/coolkey root:root 755
/var/cache/urpmi root:root 755
/var/cache/apparmor root:root 755
/home/uuidd uuidd:uuidd 700
/usr/libexec root:root 755
/usr/lib/cups/filter root:sys 755 # Gruppe sys, abhängig von /etc/cups/cupsd.conf
/usr/lib/cups/filter/* root:sys 755
/usr/lib/cups/driver root:sys 755
/usr/lib/cups/driver/* root:sys 755
/usr/share/cups/ root:sys 755
/usr/share/cups/* root:sys 755
/usr/share/cups/model/ root:sys 755
/var/spool root:root 755
/var/spool/MailScanner root:root 755
/usr/lib/cups/filter/* root:sys 755
/usr/lib/cups/driver/* root:sys 755
/usr/share/cups/* root:sys 755
/etc/cups root:sys 755
/etc/cups/* root:sys 755
/var/cache/cups root:sys 775
/var/cache/cups/rss root:sys 775
/lib64/ld*.so root:root 755
/lib64/libc-*.so root:root 755
/usr/lib64/kde4 root:root 751
/usr/lib64/kde4/* root:root 755
/usr/share root:root 755
/usr/games root:root 751
/etc/security/msec/*.secure root:root 751
/usr/local root:root 755
/usr/share/* root:root 755
/usr/bin/rsh root:root 0000
/usr/bin/rlogin root:root 0000
/usr/bin/rcp root:root 0000
/usr/bin/telnet* root:root 0000
/usr/bin/scp root:root 0000
/kerberos/bin/rsh root:root 0000
/kerberos/bin/rlogin root:root 0000
/kerberos/bin/rcp root:root 0000
/kerberos/bin/telnet* root:root 0000
/home/user/.kde4/share/config root:root 755
/home/user/.kde4/share/apps root:root 755
/home/user/.kde4/share/icons root:root 755

Start permissions for example in /etc/rc.local: chkstat --set --no-fscaps /etc/permissions # rpm "permissions" from OpenSuSE (even possible for CentOS 6)
chkstat --set --no-fscaps /etc/ # configuration from right above
chkstat --set --no-fscaps /etc/permissions.local # ... but configure it at first!

... oh, where does it belong to (this line went out)?: +capabilities cap_net_bind_service=ep

capsh, getcap, setcap, ...
linux - Using capsh to drop all capabilities - Stack Overflow
root: All caps are assigned to root by default !
pub enum Capability { CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID, CAP_SETUID, CAP_SETPCAP Drops the capability for the current process via a call to cap_drop_bound.0x0000003fffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,37...
capsh --print Current: = Bounding set = Securebits: 00/0x0/1´b0 secure-noroot: no (unlocked) secure-no-suid-fixup: no (unlocked) secure-keep-caps: no (unlocked) uid=10101(u0_a101) gid=10101...
/etc/ :
/usr/sbin/pinger squid:root 0750
+capabilities cap_net_raw=ep
/usr/bin/ping root:root 0755
+capabilities cap_net_raw=ep

OK/etc/rc.local (complete, vollständig)
# Provides: rc.local
# X-Mandriva-Compat-Mode
# Default-Start: 2 3 4 5
# Short-Description: Local initialization script
# Description: This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don´t
# want to do the full Sys V style init stuff.
sysctl -p /etc/sysctl.conf
auditctl -e0
echo 1 > /sys/devices/system/cpu/microcode/reload
# microcode_ctl -Qu
sh /usr/libexec/microcode_ctl/reload_microcode
hdparm -W1a0A0 /dev/sda # mausklick-schnelle SSD am S-ATA-Port, beachte die Anschlussnummer (1: sda, 2: sdb, ...)
echo deadline > /sys/block/sdb/queue/scheduler
echo 500 > /proc/sys/vm/dirty_writeback_centisecs
echo 20 > /proc/sys/vm/dirty_ratio
echo 5 > /proc/sys/vm/dirty_background_ratio
echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "" > /etc/securetty
# # cat /proc/sys/net/ipv4/tcp_congestion_control
# modprobe tcp_htcp
modprobe sch_fq_codel
modprobe tcp_cubic
# modprobe tcp_bbr
# echo sch_fq_codel > /proc/sys/net/core/default_qdisc
echo cubic > /proc/sys/net/ipv4/tcp_congestion_control
macchanger --mac=ac:22:ca:00:00:c1 eth0
echo sch_fq_codel > /proc/sys/net/core/default_qdisc
xhost -
xhost +si:localuser:user
xhost -inet6:user@
xhost -nis:user@
xhost -
xhost -
# echo 1 > /proc/sys/net/ipv4/conf/all/hidden # or net.ipv4.conf.all.hidden=1 within /etc/sysctl.conf
# echo 1 > /proc/sys/net/ipv4/conf/eth0/hidden
# echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
# echo 0 > /proc/sys/net/ipv4/conf/all/shared_media
# echo 1 > /proc/sys/net/ipv4/conf/eth0/secure_redirects
# echo 0 > /proc/sys/net/ipv4/conf/eth0/shared_media
touch /var/lock/subsys/local
modprobe usblp
modprobe usb_storage
ifconfig eth0 -multicast
ifconfig lo -multicast
ifconfig lo -broadcast
ip link set eth0 multicast off
ip link set lo multicast off
sh /etc/init.d/ip6tables restart # wenn iptables-ipv6 (el6) neben iptables (el6) installiert worden ist; Der gesamte Traffic innerhalb des neuen Adressraums IPv6 wird auf INPUT, OUTPUT und FORWARD mit Linfw3 geblockt, siehe Regeln innerhalb /etc/sysconfig/ip6tables. Anstelle dieses totalen Blocks können alle IPv4-Regeln von Linfw3 in /usr/local/ nach /etc/sysconfig/ip6tables übernommen werden, indem ipt="iptables" mit ipt="ip6tables" ausgestauscht wird. Überprüfe außerdem, ob /sbin/ip6tables* richtig mit /sbin/ip6tables-multi verlinkt ist.
mount -t securityfs -o rw,noatime /sys/kernel/security /mnt2
#sh /etc/init.d/syslog start
sh /etc/init.d/rsyslog start
cp -fp /etc/hosts.savenew /etc/hosts
cp -fp /etc/pdnsd-savenew.conf /etc/pdnsd.conf
# cp -fp /boot-save/ifcfg-eth0* /etc/sysconfig/network-scripts/
cp -fp /boot-save/70-persistent-net.rules /etc/udev/rules.d/
export RESOLV_HOST_CONF="/etc/hosts"
# sh /etc/init.d/incrond start
# sh /etc/init.d/noflushd start
# gpg-agent --daemon --use-standard-socket
# atieventsd
# dhclient -4 -cf /etc/dhcp/dhclient.conf eth0 &
# NetworkManager --log-level=ERR
# preload
# ifup eth0
# acpid&
# dnssec-triggerd
# unbound -dv -c /etc/unbound/unbound.conf
# tcpd &
# sh /etc/init.d/xfs start
# sh /etc/init.d/psad start
# paxctld -c /etc/paxctld.conf -d -p /var/run/paxctld
# dnscrypt-proxy --daemonize --user=pdnsd --local-address -r -l --tcp-port 443 /dev/null
# dnscrypt-proxy --daemonize --user=pdnsd --local-address -r --tcp-port 443 -l /dev/null
# dnscrypt-proxy --daemonize --user=pdnsd --local-address -r --tcp-port 443 -l /dev/null
# cp -fp /var/cache/pdnsd.cache /var/cache/pdnsd-savenew.cache
# speechd
# artsd&
# killall plymouthdxhost -
# sh /etc/init.d/lpd start
# redshift -l 60:10 -t 6500K:6200K&
sh /etc/init.d/modules-disabled start# kernel.modules_disabled=1, here after 45 seconds
chkstat --set --no-fscaps /etc/permissions # rpm permissions form OpenSuSE
chkstat --set --no-fscaps /etc/
#apparmor_parser -af /etc/apparmor/profiles/extras/usr.lib.firefox.firefox &
#apparmor_parser -af /etc/apparmor/profiles/sbin.dhclient &
#apparmor_parser -af /etc/apparmor/profiles/ &
#apparmor_parser -af /etc/apparmor/profiles/usr.bin/passwd &
#apparmor_parser -af /etc/apparmor/profiles/extras/ &
# /usr/lib64/apparmorapplet&
unshare apparmor-dbus &
echo "ALLOW_REBOOT=yes" >> /etc/security/msec/security.conf
echo "BASE_LEVEL=secure" > /etc/security/msec/security.conf
echo "ENABLE_STARTUP_MSEC=yes" > /etc/security/msec/security.conf
echo "ENABLE_STARTUP_PERMS=enforce" > /etc/security/msec/security.conf
msec -f secure # msec: rpm from Mandriva Linux and Rosalabs
# chmod 666 /dev/usb/lp0 # besser: Sämtliche chown und chmod in /etc/ in der vorgesehenen Form eintragen!
chown pdnsd:pdnsd -R /var/cache/pdnsd
chmod 755 /var/cache/pdnsd/pdnsd.cache
chown root:root /etc/hosts
chmod 400 /usr/local/key
chmod 644 /etc/hosts
chmod 111 /
chmod 751 /etc
chmod 755 /etc/sysconfig/network
chmod 755 /etc/sysconfig/network-scripts
chmod 400 /etc/shadow*
chmod 400 /etc/fstab*
chmod 700 /etc/crypttab*
chmod 700 /etc/mtab*
chmod 711 /home
chmod 700 /home/user
chmod 700 /home/surfuser
chmod 700 -R /home/surfuser/.mozilla
chown root:root /home/surfuser/.mozilla/firefox/profile.default/user.js
chmod 755 /home/surfuser/.mozilla/firefox/profile.default/user.js
chown root:root /home/surfuser/.mozilla/firefox/prefs.js
chmod 755 /home/surfuser/.mozilla/firefox/prefs.js
chmod 700 -R /home/surfuser/.moon*
chmod 700 -R /usr/src
chmod 751 /etc/X11
chmod 751 /usr/lib64
chmod 751 /usr/lib64/kde4
chmod 700 /home/toruser
chmod 700 -R /home/user/Dokumente
chmod 700 /home/uuidd
chmod 400 /usr/local/ke*
chmod 755 /usr
chmod 751 /bin
chmod 751 /sbin
chmod 751 /lib64
chmod 751 /opt
chmod 751 /lib
chmod 700 /root
chmod 700 -R /etc/init.d
chmod 751 /initrd
chmod 751 /misc
chmod 700 -R /boot-save
chmod 644 /etc/passwd
chmod 751 /usr/games
chmod 751 /net
chmod 710 /secoff
chmod 700 /sid-root
chmod 700 /smack
chmod 751 /srv
chmod 751 /sys
chmod 700 /typo3i*
chmod 751 /var
chmod 700 /lost*found
chmod 710 /intel-ucode*
chmod 751 /initrd
chmod 710 /GenuineIntel.bin
chmod 751 /etc/security/msec/*.secure
chmod 751 /Module.symvers
rm -df /home/surfuser/.Xauth*.*
rm -df /home/surfuser/.xauth*
rm -df /home/toruser/.xauth*
rm -df /home/toruser/.Xauth*.*
rm -df /home/user/.kde4/share/apps/kmail/mail/Spam/cur/*
rm -df /var/spool/cups/a*
rm -df /var/spool/cups/b*
rm -df /var/spool/cups/c*
rm -df /var/spool/cups/d*
rm -df /var/spool/cups/e*
rm -df /var/spool/cups/f*
rm -df /var/spool/cups/g*
rm -df /var/spool/cups/h*
rm -df /var/spool/cups/i*
rm -df /var/spool/cups/j*
rm -df /var/spool/cups/k*
rm -df /var/spool/cups/l*
rm -df /var/spool/cups/m*
rm -df /var/spool/cups/o*
rm -df /var/spool/cups/p*
rm -df /var/spool/cups/q*
rm -df /var/spool/cups/r*
rm -df /var/spool/cups/s*
rm -df /var/spool/cups/u*
rm -df /var/spool/cups/v*
rm -df /var/spool/cups/w*
rm -df /var/spool/cups/x*
rm -df /var/spool/cups/y*
rm -df /var/spool/cups/z*
echo ´V´ > /dev/watchdog
sh /etc/init.d/dosetfacls start# Script dosetfacls right up in the following

OKAlso create file (runlevel-init-script)

OKErzeuge noch

# This is file /etc/rc.d/init.d/linfw3 and was put here
# by the linfw3 rpm
# chkconfig: 2345 92 36
# description: secure iptables based firewall against all hacker and trojans \
# evtl. change chkconfig Number!

# ********************************************************************
# File : $Source: /cvsroot/ijbswa/current/linfw3.init,v $
# Purpose : This shell script takes care of starting and stopping
# linfw3.
# Copyright : Written by Gooken
# ********************************************************************/

# Source function library.
. /etc/rc.d/init.d/functions

start () {
# start daemon
setfacl -m u:-1:- /* # There is an unnamed (!) process starting from time to time by user so called "-1, root".... listed on the buttom of the listing from ps -aux (gamin, FAM?)
setfacl -m u:-1:- /mnt
setfacl -m u:-1:- /media
setfacl -m u:apache:- /home/user
setfacl -m u:apache:- /home/surfuser
setfacl -m u:apache:- /home/toranonym
setfacl -m u:apache:- /mnt
setfacl -m u:apache:- /media
setfacl -m u:surfuser:- /etc/shadow*
setfacl -m u:toranonym:- /etc/shadow*
setfacl -m u:surfuser:- /etc/fstab*
setfacl -m u:surfuser:- /etc/mtab*
setfacl -m u:surfuser:- /etc/crypttab*
setfacl -m u:toranonym:- /etc/fstab*
setfacl -m u:toranonym:- /etc/mtab*
setfacl -m u:toranonym:- /etc/crypttab*
setfacl -m u:surfuser:- /etc/init.d
setfacl -m u:surfuser:- /etc/init.d/*
setfacl -m u:toranonym:- /etc/init.d
setfacl -m u:toranonym:- /etc/init.d/*
setfacl -m u:surfuser:- /etc/rc0.d
setfacl -m u:surfuser:- /etc/rc1.d
setfacl -m u:surfuser:- /etc/rc2.d
setfacl -m u:surfuser:- /etc/rc3.d
setfacl -m u:surfuser:- /etc/rc4.d
setfacl -m u:surfuser:- /etc/rc5.d
setfacl -m u:surfuser:- /etc/rc6.d
setfacl -m u:surfuser:- /etc/rc.local
setfacl -m u:toranonym:- /etc/rc0.d
setfacl -m u:toranonym:- /etc/rc1.d
setfacl -m u:toranonym:- /etc/rc2.d
setfacl -m u:toranonym:- /etc/rc3.d
setfacl -m u:toranonym:- /etc/rc4.d
setfacl -m u:toranonym:- /etc/rc.local
setfacl -m u:surfuser:- /etc/security/msec
setfacl -m u:surfuser:- /etc/security
setfacl -m u:toranonym:- /etc/security
setfacl -m u:toranonym:- /etc/security/msec
setfacl -m u:surfuser:- /etc/crypttab*
setfacl -m u:surfuser:- /usr/bin/*
setfacl -x surfuser /usr/bin/bash*
setfacl -x surfuser /usr/bin/unshare
setfacl -x surfuser /usr/bin/firejail*
setfacl -x surfuser /usr/bin/firefox*
setfacl -x surfuser /usr/bin/gftp*
setfacl -x surfuser /usr/bin/tor*
setfacl -x surfuser /usr/bin/xauth*
setfacl -x surfuser /usr/bin/xargs*
setfacl -x surfuser /usr/bin/sg*
setfacl -x surfuser /usr/bin/palemoon*
setfacl -x surfuser /usr/bin/export
setfacl -m u:surfuser:- /usr/libexec
setfacl -m u:surfuser:- /usr/sbin
setfacl -m u:surfuser:--x /bin
setfacl -m u:surfuser:- /bin/*
setfacl -m u:surfuser:- /sbin
setfacl -x surfuser /bin/bash*
setfacl -x surfuser /bin/certtool
setfacl -x surfuser /bin/certutil
setfacl -x surfuser /bin/basename
setfacl -x surfuser /bin/bash.old
setfacl -x surfuser /bin/p11tool
setfacl -x surfuser /bin/pk12util
setfacl -x surfuser /bin/smime
setfacl -x surfuser /bin/shlibsign
setfacl -x surfuser /bin/sign*
setfacl -x surfuser /bin/ssltap*
setfacl -m u:surfuser:--x /home/surfuser
setfacl -m u:toranonym:- /home/surfuser
setfacl -m u:surfuser:- /usr/local
setfacl -m u:surfuser:- /opt
setfacl -m u:surfuser:--x /lib64
setfacl -m u:surfuser:--x /usr/lib64
setfacl -m u:surfuser:--x /lib
setfacl -m u:surfuser:--x /usr/lib
setfacl -m u:surfuser:- /misc
setfacl -m u:surfuser:- /net
setfacl -m u:surfuser:- /sid-root
setfacl -m u:surfuser:--x /etc
setfacl -m u:surfuser:- /intel-ucode
setfacl -m u:surfuser:--x /secoff
setfacl -m u:surfuser:- /smack
setfacl -m u:surfuser:- /srv
setfacl -m u:surfuser:- /--tcp-port
setfacl -m u:surfuser:- /initrd
setfacl -m u:surfuser:- /ttf
setfacl -m u:surfuser:- /none
setfacl -m u:surfuser:- /doc
setfacl -m u:surfuser:- /firejail
setfacl -m u:surfuser:- /root
setfacl -m u:surfuser:- /usr/lib64/kde4/*
setfacl -x surfuser /usr/lib64/kde4/libexec
setfacl -m u:surfuser:- /usr/lib64/kde4/libexec/*
setfacl -x surfuser /usr/lib64/kde4/libexec/kdesu*

case "$1" in start)
gprintf "Usage: %s {start|stop|restart|status} " "$LINFW3_PRG"
exit 1

exit $RETVAL

Notice: toranonym is our elder account for tor. Now it´s surfuser too - as general for browsing, but can be used for more privilidges, for many, many processes like for chats or global mapping like marble. surfuser only is enough - just reset belonging setfacl process by process to allow by option -x
Exchange $ again with the dollar-character... and start it each boot within /etc/rc.local by the command "sh /etc/init.d/dosetfacls start" !

OKChange File Attributes (chattr) for example for data integrity ( option -i )
man chattr
User-Extended-Attributes must be set for the belonging partitions!
Also notice the many configuration files in the home-directory, that might get changed by you or automatically. We would resign from "chattr +i" upon them.

chattr +i -R /boot
chattr +i /etc/hosts* # Neben Root-Eigentumsrechten wichtiger Schutz vor Server-Pharming
chattr +i /etc/fstab
chattr +i /home/surfuser/.mozilla
chattr +i /home/surfuser/.mozilla/firefox/*.js
chattr +i /home/surfuser/.mozilla/firefox/profile.default/user.js
chattr +i /home/surfuser/torrc
chattr +i /home/surfuser/geoip*
chattr +i -R /home/user/.*
chattr +i -R /home/user/*
chattr -i -R /home/user/.dbus
chattr -i /home/user/.cache
chattr -i -R /home/user/.gnupg
chattr -i -R /home/user/.pulse*
chattr -i /home/user/.screenrc*
chattr -i /home/user/.esd_auth*
chattr -i /home/user/.Xauthority*
chattr -i /home/user/.Xdefaults*
chattr -i /home/user/.xsession*
chattr -i -R /home/user/.gconf*
chattr -i -R /home/user/.local*
chattr -i -R /home/user/.mcop*
chattr -i -R /home/user/.qt*
chattr -i -R /home/user/.kde*
chattr -i -R /home/user/.wine*
chattr -i -R /home/.MANY_GAMES_CONFIGS
chattr -i -R /home/user/.config*

... und create as described further above the belonging two runlevel-init-scripts (daemons) in /etc/init.d namens rc.local and dosetfacl.
Register those two scripts and active them by default in higher runlevels:

chkconfig --add rc.local && chkconfig --add dosetfacl

Advantage: regardless from packet-installations, significant ACL-access-rights were set each system boot. This keeps the system secure and makes it mouse-click-fast.

Additionally, the grsecurity-patches for the kernel (resp. root-kernel-processes), login-lock /sbin/nologin and password-protection and locking of all system- and user-accounts excecpt surfuser (and maybe a separate toruser), Sandbox Firejail (especially for the lock of the shells/terminals) and Firewall Linfw3 get in use too, beneath Tor resp. the tor-browser with firefox-extensions for script-filtering like ABP, noscript and RequestPolicyBlockContinued and more get in use too.

Set setfacl -m u:surfuser:- /usr/bin/* except for /usr/bin/bash, /usr/bin/firefox, /usr/bin/firejail, /usr/bin/sg, /usr/bin/proftp*, /usr/bin/tor*, /usr/bin/export, /usr/bin/xauth*, /usr/bin/xarg* and all communication programs, surfuser should be able to use.

OKrsyslog anstelle syslogd
Rsyslog is an enhanced multi-threaded syslogd supporting, among others, MySQL, PostgreSQL, syslog/tcp, RFC 3195, permitted sender lists, filtering on any message part, and fine grain output format control. It is quite compatible to stock sysklogd and can be used as a drop-in replacement. Its advanced features make it suitable for enterprise-class, encryption protected syslog relay chains while at the same time being very easy to setup for the novice user. o - Implementation of network related stuff. o - Implementation of regexp related stuff. o - This is the implementation of TCP-based syslog clients. o - Common code for plain TCP based servers. o - This is the implementation of the TCP input module. o - This is the implementation of the UDP input module. o - This is the implementation of the Unix sockets input module. o - The kernel log input module for Linux. o - This is the implementation of the build-in mark message input module. o - This is the input module for reading text file data.

You have to delete all *syslog*-init-script-files out of /etc/rc*.d/ and /etc/init.d/ .

# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see
#### MODULES ####

DollarsignModLoad imuxsock # provides support for local system logging (e.g. via logger command)
Dollarsignimklog # provides kernel logging support (previously done by rklogd)
#DollarsignModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don´t log private authentication messages!
*.warn;mail.none;news.none;authpriv.none;cron.none /tmp/messages
# The authpriv file has restricted access.
authpriv.* /tmp/secure
# Log all the mail messages in one place.
mail.* -/tmp/maillog
# Log cron stuff
cron.* /tmp/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /tmp/spooler
# Save boot messages also to boot.log
local7.* /tmp/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g., port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
news.=crit /tmp/news/news.crit
news.=err /tmp/news/news.err
news.notice /tmp/news/news.notice
news.=debug /tmp/news/news.debug

OK/proc/sys/* - Kernel-flags &Co.: detailed configuration
sysctl.conf - variables are files out of /proc/sys
check settings by "sysctl -a"
# Kernel sysctl configuration file
# /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
# For more information, see sysctl.conf(5) and sysctl.d(5).
# Kernel sysctl configuration file for CentOS and Mandriva Linux
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.
# /etc/sysctl.conf
# additionally from resp.
# Turn on execshild
# kernel.exec-shield = 1
# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0
net.ipv6.conf.lo.use_tempaddr = 0
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 1
# Disable ECN
net.ipv4.tcp_ecn = 1
# Controls source route verification
net.ipv4.conf.all.rp_filter =1
net.ipv4.conf.default.rp_filter = 1
# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0
# kernel.modules_disabled=0
# kernel.exec-shield=1
# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 0
# If the kptr_restrict value is 0, kernel addresses are provided without limitations (recommended).
# If the kptr_restict value is 1, addresses are provided if the current user has a CAP_SYSLOG
# capability.
# If the kptr_restrict value is 2, the kernel addresses are hidden regardless of privileges the
# current user has.

kernel.dmesg_restrict = 1
# kernel.yama.ptrace_scope=3
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)

# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward =0
# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog =512
# Do not accept IP source route packets (we are not a router)
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.all.shared_media = 0

​# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv4.tcp_syncookies = 1
# ls /lib/modules/´uname -r´/kernel/net/ipv4/
# modprobe tcp_htcp
# modprobe tcp_cubic
# modprobe tcp_bbr
# net.core.default_qdisc=sch_fq_codel

# net.core.default_qdisc=fq
# net.ipv4.tcp_congestion_control=bbr

# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.rmem_max =212992
net.core.wmem_max =212992
net.core.rmem_default =212992
net.core.wmem_default =212992
net.core.netdev_max_backlog = 1000
kernel.sysrq = 0
kernel.core_uses_pid = 1
# Optimization for port usefor LBs
# Increase system file descriptor limit
# fs.protected_fifos=1 # this might cause overflow of processes akonadi_maildir: system runs out of capacities
# fs.dir-notify-enable=0
# fs.mount-max=20
# The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 3294967295
kernel.shmall = 3294967295
kernel.randomize_va_space = 2

net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
vm.overcommit_memory =2
# or: vm.overcommit_kbytes= =3
vm.oom_dump_tasks =0

kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
# Uncomment the following to stop low-level messages on console
#kernel.printk = 3 4 1 3
kernel.printk =0 6 1 3
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
kernel.shmall =-1
# If the kptr_restrict value is 0, kernel addresses are provided without limitations (recommended).
# If the kptr_restict value is 1, addresses are provided if the current user has a CAP_SYSLOG capability.
# If the kptr_restrict value is 2, the kernel addresses are hidden regardless of privileges the current user has.
# ptrace: process tracing
# kernel.yama.ptrace_scope=3 =1000 =200000

# The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576
Example for ulimit, ulimit -a and sysctl -a,


ln -sf /usr/sbin/sysctl /sbin/sysctl

Test sysctl.conf: sysctl -p /etc/sysctl.conf and activate an error-free sysctl by daemon or in /etc/rc.local

sysctl -p /etc/sysctl.config

OKDisable Unwanted SUID- and SGID-Binaries
All SUID/SGID bits enabled file can be misused when the SUID/SGID executable has a security problem or bug. All local or remote user can use such file. It is a good idea to find all such files. Use the find command as follows:
#See all set user id files:
find / -perm +4000
# See all group id files
find / -perm +2000
# Or combine both in a single command
find / ( -perm -4000 -o -perm -2000 ) -print
find / -path -prune -o -type f -perm +6000 -ls

You need to investigate each reported file. See reported file man page for further details.

OKHow to Remove (Delete) Symbolic Links in Linux,, 09.05.2019
A symbolic link, also known as a symlink, is a special type of file that points to another file or directory. It is something like a shortcut in Windows. A symlink can point to a file or a directory on the same or a different filesystem or partition.
In this guide, we will show you how to remove (delete) symbolic links in Linux/UNIX systems using the rm, unlink, and find commands.
find /path/to/directory -maxdepth 1 -xtype l

OKSafe-Linking: Making Linux exploitation harder,, 05.22.2020
Businesses and users alike are constantly on the lookout for easier ways to do things, and shortcuts that help us work faster and with less effort. Unfortunately, bad actors are no different, and are always hunting for existing vulnerabilities or weaknesses, that can be exploited.
[...] A good example of this would be memory corruption attacks, which are often employed to exploit programs written in Linux, the most widely-used open source operating system in the world.
With this in mind, Check Point has created Safe-Linking, a security mechanism to protect the internal structure of the heap - or the portion of memory that is not set to a constant size before compilation and can be controlled dynamically by a programmer - from being tampered with.
[...] Simply put, Safe-Linking removes the address data for the program, so the bad actor can no longer be sure where in the system´s memory it will be loaded - making it much harder for them to launch an exploit against the program," the company adds.

Check Point schließt 20 Jahre alte Sicherheitslücke in Linux,, 26.05.2020
Das Check Point Research Team führt eine neue Schutzmaßnahme für das Betriebssystem ein, die sich Safe-Linking nennt. Uralte Schwachstelle endlich geschlossen.
Das Check Point Research Team führt eine neue Sicherheitsmethode ein, um Linux-Systeme um einiges sicherer zu machen. Den Sicherheitsforschern gelang es, eine 20 Jahre alte und bestens bekannte Sicherheitslücke endlich zu schließen.

[...] In our latest research, we created a security mechanism, called "Safe-Linking", to protect malloc()´s single-linked lists from tampering by an attacker. We successfully pitched our approach to maintainers of core open-source libraries, and it is now integrated into the most common standard library implementation: glibc (Linux) and its popular embedded counterpart: uClibc-NG.

OKUser auditing - The Big Brother is watching you
If you are really paranoid you might want to add a system-wide configuration to audit, what the users are doing in your system. This sections presents some tips using diverse utilities you can use.

- Input and output audit with script,
- Using the shell history file,
- Complete user audit with accounting utilities,
- Other user auditing methods,
- Reviewing user profiles, 4.11.11
- Limiting what users can see/access, 4.11.13
- Limiting access to other user´s information,
- Generating user passwords, 4.11.14
- Checking user passwords

OKkauditd and auditd: Linux Audit Kernel Subsystem and Linux Audit System
Who does audit the code?

kauditd: internal kernel-auditing, for example of windows-titles out of Firefox online.

Kernel-interner audit-Daemon kauditd: URL, Webseiten-Inhalte: Fentstertitel, ... (online mit Browsern wie Firefox)

"00:00:12 [kauditd] dbadmin 4182 1 4182 0 1 May18 00:02:19 /opt/vertica/spread/sbin/spread -c /home/dbadmin/DatabaseName/v_DatabaseName_node0001_catalog/spread.conf..."

kauditd is a kernel process, which is a part of the Linux kernel responsible for the kernel audit events (and communicates with the auditd process). The special brackets surrounding it are telling you that this is not a regular (userland) process (launched through a command), but a kernel process (started/managed by the Linux kernel itself)
The auditd is provided for system auditing. It is responsible for writing audit records to the disk. During startup, the rules in /etc/audit.rules are read by this daemon. You can open /etc/audit.rules file and make changes such as setup audit file log location and other option. With auditd you can answers the following questions:

System startup and shutdown events (reboot / halt).
Date and time of the event.
User respoisble for the event (suh as trying to access /path/to/topsecret.dat file).
Type of event (edit, access, delete, write, update file &commands).
Success or failure of the event.
Records events that modify date and time.
Find out who made changes to modify the system´s network settings.
Record events that modify user/group information.
See who made changes to a file etc.

See our quick tutorial which explains enabling and using the auditd service.

OKkauditd und auditd: Kernel- und Linux Audit System
Who does audit the audit code?

How to use Auditing System in Linux - Configure, Audit Logs and ...
Well, the Linux Auditing system is the answer for all the above questions. The Linux Auditing system allows an administrator to configure audit rules to monitor the system calls, network access, files etc…and generate a summary report - which can be later analyzed and investigated for suspicious activity.

See our quick tutorial which explains enabling and using the auditd service.

OKRouter: Howto detect instrusive attempts within the Fritzbox-menu,, 04.19.2021

The Linux audit subsystem is not one of the best-loved parts of the kernel. It allows the creation of a log stream documenting specific system events — system calls, modifications to specific files, actions by processes with certain user IDs, etc. For some, it is an ideal way to get a handle on what is being done on the system and, in particular, to satisfy various requirements for security certifications (Common Criteria, for example). For others, it is an ugly and invasive addition to the kernel that adds maintenance and runtime overhead without adding useful functionality. More recently, though, it seems that audit adds some security holes of its own. But the real problem, perhaps, is that almost nobody actually looks at this code, so bugs can lurk for a long time.
The system call auditing mechanism creates audit log entries in response to system calls; the system administrator can load rules specifying which system calls are to be logged. These rules can include various tests on system call parameters, but there is also a simple bitmask, indexed by system call number, specifying which calls might be of interest. One of the first things done by the audit code is to check the appropriate bit for the current system call to see if it is set; if it is not, there is no auditing work to be done.
[...] In summary, the code is a giant mess. The way it works is nearly incomprehensible. It contains at least one severe bug. I´d love to see it fixed, but for now, distributions seem to think that enabling CONFIG_AUDITSYSCALL is a reasonable thing to do, and I´d argue that it´s actually a terrible choice for anyone who doesn´t actually need syscall audit rules. And I don´t know who needs these things.

It is telling, though, that this particular vulnerability has existed in the audit subsystem almost since its inception. The audit code receives little in the way of review; most kernel developers simply turn it off for their own kernels and look the other way. But this subsystem is just the sort of thing that distributors are almost required to enable in their kernels; some users will want it, so they have to turn it on for everybody. As a result, almost all systems out there have audit enabled (look for a running kauditd thread), even though few of them are using it. These systems take a performance penalty just for having audit enabled, and they are vulnerable to any issues that may be found in the audit code.
If audit were to be implemented today, the developer involved would have to give some serious thought, at least, to using the tracing mechanism. It already has hooks applied in all of the right places, but those hooks have (almost) zero overhead when they are not enabled. Tracing has its own filtering mechanism built in; the addition of BPF-based filters will make that feature more capable and faster as well. In a sense, the audit subsystem contains yet another kernel-based virtual machine that makes decisions about which events to log; using the tracing infrastructure would allow the removal of that code and a consolidation to a single virtual machine that is more widely maintained and reviewed.
The audit system we have, though, predates the tracing subsystem, so it could not have been based on tracing. Replacing it without breaking users would not be a trivial job, even in the absence of snags that have been glossed over in the above paragraph (and such snags certainly exist). So we are likely stuck with the current audit subsystem (which will certainly not be marked "broken" in the mainline kernel) for the foreseeable future. Hopefully it will receive some auditing of its own just in case there are more old surprises lurking therein.
Posted May 30, 2014 6:50 UTC (Fri) by bnorris (subscriber, #92090) [Link]
&g; As a result, almost all systems out there have audit enabled

$ grep CONFIG_AUDIT /boot/config-´uname -r´

( You might want to comment them in ... )

> (look for a running kauditd thread)
None here.
&g; even though few of them are using it. These systems take a performance penalty just for having audit enabled, and they are vulnerable to any issues that may be found in the audit code.
I´m not an expert on the kaudit subsystem (in fact, I just learned of it), but it looks like kauditd is only spawned in response to a user-space request for it (e.g. from SELinux auditd). See kernel/audit.c:... man auditd
man auditd.conf

Disable auditd temporarily (this will disable logging instantly but will not survive a reboot):

OKauditctl -e0 # for example within /etc/rc.local

Disable auditd permanently (this will require a reboot):

systemctl disable auditd

OKkauditd - CentOS | Forum
kauditd. General support questions including new installations. How to disable kauditd? I tried to put audit=0 to the kernel line in grub, but no luck....

kauditd might care for connection even with SELinux from NSA. So why did he had no luck with it? Boot-parameter "audit=0" (for grub: within /boot/grub/menu.lst) does prevent from kernel audit named kauditd ever starting: no auditing like firefox by the kernel anymore!

OKDisable the OOM Killer (process oom_reaper), The Ubuntu Forum Community, Ubuntu Specialised Support, January 2nd, 2014
As the title suggests, regardless of the repercussions, how do you disable this "feature".
Please do not provide alternate suggestions such as "get more ram" or "tell the program to use less memory".
I´m running a Minecraft server that has its heap space and permgen configured to use nearly all of the available memory on the vps where it resides. I have a highly specific reason for doing this and no, it has never caused me any problems in the past.

Yes the OOM Killer is killing the process see: OOM killed process 659 (java) vm:4973220kB, rss:2066504kB, swap:0kB
Who ever thought killing processes that are consuming beyond a specific amount of memory was a good idea, you have caused me and, the users of my server immeasurable levels of frustration. I am no Linux guru, so any help would be appreciated so long as that help reads "To disable the oom-killer do X".
Thank you in advance.

Re: Disable the OOM Killer The OOM killer can be completely disabled with the following command. This is not recommended for production environments, because if an out-of-memory condition does present itself, there could be unexpected behavior depending on the available system resources and configuration. This unexpected behavior could be anything from a kernel panic to a hang depending on the resources available to the kernel at the time of the OOM condition.

sysctl vm.overcommit_memory=2 # mouseclick-fast echo "vm.overcommit_memory=2" >> /etc/sysctl.conf

[...] Re: Disable the OOM Killer
Hi, Psionic,
I was having the same difficulties. You report that the oom-killer is still killing your process, I suggest either properly fully disabling the oom-killer or lowering the overcommit ratio, as follows:

Disabling OOM Killer
According to:

You can disable the OOM-killer by writing "1" to memory.oom_control file, as:

# echo 1 > memory.oom_control # (unknown variable by sysctl, remark, Gooken)

Reducing Overcommit Ratio
According to

2 - Don´t overcommit. The total address space commit for the system is not permitted to exceed swap + a configurable amount (default is 50%) of physical RAM.
Depending on the amount you use, in most situations this means a process will not be killed while accessing pages but will receive errors on memory allocation as appropriate.
Useful for applications that want to guarantee their memory allocations will be available in the future without having to initialize every page.
The overcommit policy is set via the sysctl ´vm.overcommit_memory´.
The overcommit amount can be set via ´vm.overcommit_ratio´ (percentage) or ´vm.overcommit_kbytes´ (absolute value).
There´s a rather good article on this topic
Of course, in general if you´re getting processes killed it means there´s a problem with using more memory than the system can cope with, and the symptoms are very likely to come out somewhere else. In my case the oom-killer was definitely picking the right process, even though it was the primary purpose of the whole computer: the program had a data-dependent bug and was allocating memory out of control.
I hope that helps.
Kind regards,

More about oom_reaper

OKrtkit-daemon (rpm rtkit)
Description: "RealtimeKit is a D-Bus system service that changes the scheduling policy of user processes/threads to SCHED_RR (i.e. realtime scheduling mode) on request. It is intended to be used as a secure mechanism to allow real-time scheduling to be used by normal user processes.".
"I´s...a management daemon so to say. Instead of applications asking the kernel directly (and needing proper permissions for this, usually root) they ask the daemon. The daemon can hand out the realtime permissions then according it its configuration (/etc/dbus-1/system.d/org.freedesktop.RealtimeKit1.conf). It´s simply a helper process that allows applications to ask for realtime permissions through dbus...not really much more. But having such a helper process makes the whole procedure much more secure (no suid root needed for some programs), cleaner (dbus interface) and more flexible (one daemon to configure, not each program with an own configuration..if at all)."

For rtkit isn´t almost needed, as we got told in the internet above, and there are no real dependencies from it, it´ might not be a bad idea to deinstall it:

"rpm -e --nodeps rtkit"

... same eventually with Packagekit (el6), gvfsd (gvfs (el6) and so on: just deinstall them! The less (not really needed daemons do run under root, the more secure the system might behave...

OKnetns, migration/0, kintgerityd, oom_reaper, ... ( one of them lists the actual website-title!)
Kernel-daemons almost can´t get deactivated manually! This might be possible by removing some (not needed) kernel-modules by rmmod, delmod or kernel-configuration only (within file .config).

Running strongSwan in Network Namespaces (netns) on Linux
Normally, the network stack (interfaces, routing tables, firewall rules etc.) is shared by all processes running on an operating system. With Linux network namespaces (netns) it´s possible to have multiple separate instances of the network stack.
Note: While basic support for network namespaces was added to the Linux kernel a long time ago, some features (e.g. CLUSTERIP support) might require a recent kernel.
The easiest way to work with network namespaces is to use the ip command of the iproute2 package. These commands will have to be executed as root (i.e. with sudo on most distros).
Network Namespace Basics
To create a new netns use the following command:

# ip netns add <network namespace name>

A list of all currently defined netns is provided by ip netns list.

Interfaces can be assigned to a netns with the ip link command:

# ip link set <interface name netns <netns name>

If you run ip link list afterwards such an interface won´t be seen as it is only available in the configured netns.

So to actually list the interface in a specific netns it´s required to be able to run commands in a specific netns. This can be done with the ip netns exec command. So to get a list of interfaces defined in a specific netns use:

# ip netns exec <netns name> ip link list

If only one physical interface is available, or if you don´t want to assign physical interfaces to the netns for other reasons, it´s possible to create virtual Ethernet interface pairs (veth, provided via CONFIG_VETH). These are like a bi-directional pipe (i.e. what´s written to one end comes out the other and vice-versa) of which one end is placed inside the netns and the other stays outside in the "default" or "global" namespace.

To create such a pair use:

# ip link add <interface name 1> type veth peer name <interface name 2>

This creates two connected Enthernet interfaces with the given names. One is assigned to a netns (via ip link) the other is not (it doesn´t matter which one and it´s also possible to assign both interfaces to two different netns to connect them). How the outer interface is used depends on the use case, it may be put inside a bridge, or used in routing rules to route traffic to and from a netns.

Since interfaces assigned to a netns are disabled they have to be enabled first, and they will probably also require an IP address, which can be done with:

# ip netns exec <netns name> ip addr add x.x.x.x/x dev <iface name>
# ip netns exec <netns name> ip link set dev <iface name> up

Similar to these commands routes or firewall rules may be added by running ip route or iptables inside a specific netns via ip netns exec <command.

Running a single instance of strongSwan inside a netns is straight-forward. Simply run ipsec commands via ip netns exec ipsec <command>.
But more interesting is probably running multiple instances of strongSwan in separate namespaces. Because all netns share the same file system this is a bit tricky.
Luckily, the ip netns exec command provides a helpful feature: Every file found in /etc/netns/<name>/ for a given netns is bind mounted over its corresponding counterpart in /etc (so it has to exist there). This can be used to provide different config files for each instance, but may also be used to redirect the so called piddir, where the charon and starter daemons create their PID files and UNIX sockets (the default is to use /var/run, which would conflict if multiple instances would use it).
To do so make sure strongSwan is configured with --sysconfdir=/etc and e.g. --with-piddir=/etc/ipsec.d/run. Then after building and installing strongSwan the piddirs can be created as follows:

# mkdir -p /etc/ipsec.d/run
# mkdir -p /etc/netns/<netns name 1>/ipsec.d/run
# mkdir -p /etc/netns/<netns name 2>/ipsec.d/run

OKStrongSwan is an OpenSource IPsec-based VPN Solution for Linux * runs both on Linux 2.4 (KLIPS IPsec) and Linux 2.6 (NETKEY IPsec) kernels * implements both the IKEv1 and IKEv2 (RFC 4306) key exchange protocols * Fully tested support of IPv6 IPsec tunnel and transport connections * Dynamical IP address and interface update with IKEv2 MOBIKE (RFC 4555) * Automatic insertion and deletion of IPsec-policy-based firewall rules * Strong 128/192/256 bit AES or Camellia encryption, 3DES support * NAT-Traversal via UDP encapsulation and port floating (RFC 3947) * Dead Peer Detection (DPD, RFC 3706) takes care of dangling tunnels * Static virtual IPs and IKEv1 ModeConfig pull and push modes * XAUTH server and client functionality on top of IKEv1 Main Mode authentication * Virtual IP address pool managed by IKE daemon or SQL database * Secure IKEv2 EAP user authentication (EAP-SIM, EAP-AKA, EAP-MSCHAPv2, etc.) * Optional relaying of EAP messages to AAA server via EAP-RADIUS plugin * Support of IKEv2 Multiple Authentication Exchanges (RFC 4739) * Authentication based on X.509 certificates or preshared keys * Generation of a default self-signed certificate during first strongSwan startup * Retrieval and local caching of Certificate Revocation Lists via HTTP or LDAP * Full support of the Online Certificate Status Protocol (OCSP, RCF 2560). * CA management (OCSP and CRL URIs, default LDAP server) * Powerful IPsec policies based on wildcards or intermediate CAs * Group policies based on X.509 attribute certificates (RFC 3281) * Storage of RSA private keys and certificates on a smartcard (PKCS #11 interface) * Modular plugins for crypto algorithms and relational database interfaces * Support of elliptic curve DH groups and ECDSA certificates (Suite B, RFC 4869) * Optional built-in integrity and crypto tests for plugins and libraries * Smooth Linux desktop integration via the strongSwan NetworkManager applet This package triggers the installation of both, IKEv1 and IKEv2 daemons.

Block network access of a process,
It is possible to block the (outgoing) network access of a single process in different ways: by unshare / nsenter, ip-netns, iptables, apparmor and firejail.

OKNotice: We use right above mentioned command "unshare" for starting firejail (for sandboxing firefox (including for example of different file-sizes the versions) by the command "unshare firejail..." etc)., psad (/etc/init.d/psad: prog="unshare psad"), uuidd (/etc/init.d/uuidd with prog="unshare uuidd" and "daemon.... unshare $DAEMON" within the start-function, apparmor-dbus out of /etc/rc.local, messagebus (/etc/init.d/messagebus with processname="unshare dbus-daemon", dbus), gpm (/etc/init.d/gpm with "daemon "unshare /usr/sbin/gpm" -m ... ), cups (/etc/init.d/cups with "daemon "unshare cups" ...), dm (again in /etc/init.d/dm) and

one of the best things you can do ever, the securing with we hope by option --tcp nolisten configured X-server (root-process X):

X (X11, ServerCmd=/usr/bin/unshare /usr/bin/X within (resp., to be more concrete, follow the linking of) /usr/share/config/kdm/kdmrc: enhance the command for execution of X with unshare: "ServerCmd=/usr/bin/unshare /usr/bin/X" and "Willing=/usr/bin/unshare /usr/share/X11/xdm/Xwilling"), kdm (/usr/share/config/kdm/kdmrc with "Preloader=/usr/bin/unshare /usr/bin/preloadkde", haldaemon (/etc/init.d/haldaemon), udevd (in /sbin/start_udev with "else /usr/bin/unshare /sbin/udevd -d ..."), polkitd (/etc/xdg/polkit-gnome-authentification-agent-1.desktop: "exec=unshare /usr/libexec/polkit-gnome-authentication-agent-1" and /etc/xdg-polkit-kde-authentification-agent-1.desktop: "exec=unshare /usr/libexec/polkit-kde-authentification-agent-1 ), konsole and xterm, dolphin, drakconf.real resp. drakconf (MCC), network-ready-games like gl-117, trackballs, extremetuxracer, marsshooter, freedroidrpg, orbital, xonotic etc. in future (do them all just to be careful)! Some kernel-modules like for usblp for USB-printer by unshare (for example in /etc/rc.loca): unshare COMMA-ABOVE-FOR-EXECUTIONmodprobe usblpCOMMA-ABOVE-FOR-EXECUTION, graphic-card (just experimentel): unshare COMMA-ABOVE-FOR-EXECUTIONi915COMMA-ABOVE-FOR-EXECUTION, mainboard (just experimentel!): unshare COMMA-ABOVE-FOR-EXECUTIONlpc_ichCOMMA-ABOVE-FOR-EXECUTION, (less experimentel): unshare COMMA...modprobe videoCOMMA..., but still NOT functioning are those "unshared" ones for internal kernel-processs like kernel-daemon netns (/etc/rc.local): "unshare --net --mount -p pidof netns", oom_reaper (/etc/rc.local): "unshare --net --mount -p pidof oom_reaper", migration/0 (/etc/rc.local): "unshare --net --mount -p pidof migration/0". Also try firejail for a sandboxed network namespace by option net, netfilter, join-network=name|pid and netns, see man firejai, section join-network for good examples also doing fine with Linfw3 (through iptables-restore and iptables-save) or try slirp4netns (OpenSuSE 15.2).

rsyslog (runlevel-init-script /etc/init.d/rsyslog, line with daemon: .daemon --pidfile="$PIDFILE" unshare $exec -i "$PIDFILE&uqot; $SYSLOGD_OPTIONS

... eventually try the same with unshare within /etc/init.d/cups!

Especially hardening the root- and suid-processes by unshare makes the computer secure (as quit all remaining riscs do depend from kernel-processes now) and, as we, believe it or not, really meant having recognized, very mouseclick-fast too!

It couldn´t be easier and more simple to contribute to the highest security level ever: You just have to type "unshare" right before quit each program´t;s and daemon´s (scripts out of /etc/init.d) start, regardless from starting by terminal, out of the menu or by any runlevel-init-script and script !

OKAlways open resp. start programs resp. applications not allowed to communicate in any net with unshare or with adequate options of firejail, even within the terminal, k-menu, context-menu (service-menu), directory desktop, quick starter and quick launcher! Use unshare even for firejail itself, especially whenever firejail got a sandbox for the a browser like firefox: we show the complete resulting command for this case further below!

OK, we show the meant command to start Tor and Firefox by Firejail through unshare ( unexplaineds ) from further below already right at this place:

OKsg surfgroup "unshare firejail --nice=19 --profile=/etc/firejail/firefox.profile /usr/lib64/firefox/firefox --no-remote &" && sg surfgroup "unshare firejail --nice=19 --profile=/etc/firejail/palemoon.profile tor -f /home/surfuser/torrc" && export RESOLV_HOST_CONF="/etc/hosts"

OKwatchdogd: How can I disable a watchdog, once it has been enabled?
Normally to shut down the watchdog driver you have to write a ´V´ character to /dev/watchdog which you could do from a root bash prompt just with:

echo ´V´ > /dev/watchdog

However, before you try to create your own watchdog driver take a look at the existing Linux watchdog daemon to see, if it can do the job. A good start is my page here: OKIncrease kernel integrity with disabled Linux kernel modules loading
Increasing Linux kernel integrity
Disable loading kernel module on Linux systems
The Linux kernel can be configured to disallow loading new kernel modules. This feature is especially useful for high secure systems, or if you care about securing your system to the fullest. In this article, we will have a look at the configuration of this option. At the same time allowing legitimate kernel modules to be loaded.
Disable kernel modules
Newer kernel modules have a sysctl variable named kernel.modules_disabled.
Sysctl is the tool which allows you to see and change kernel settings of a running system. The related /etc/sysctl.conf file is used to ensure that your settings are also used at the next boot of the system.
The sysctl key kernel.modules_disabled is very straightforward. If it contains a "1" it will disable loading new modules, where a"0" will still allow loading them.
Using this option will be a great protection against loading malicious kernel modules. For example, it may help to counter rootkits. Needless to say, but when someone was already been able to gain root access, you have a serious problem. Still, setting this security measure can be useful to achieve maximum hardening of your Linux system. An altered script or program has no chance of loading things you didn´t specifically approve.
[...] By default, the sysctl key is set to"0", which means new modules can be loaded. This is a safe default for systems but also allows malicious modules to be loaded.

# sysctl -a | grep modules
kernel.modules_disabled = 0

Now we disable loading new modules, by using the sysctl key and set it to"1". There are two ways of doing it, using sysctl directly or echo the value to a file on the pseudo file system /proc, which holds the kernel settings.

# echo 1 > /proc/sys/kernel/modules_disabled

Protection against re-enabling
You might think that loading a kernel module is as simple as re-enabling the option and then still load your kernel module. The kernel has a built-in protection, to avoid this from happening. Trying to set the value back to"0" will result in an"invalid argument" message.
Sysctl showing invalid argument when trying to set value
As can be seen, sysctl will say the value is set to"0". However, the value isn´t applied, as this key is read-only. Slightly confusing, and therefore always good to check the value again.

# sysctl kernel.modules_disabled
kernel.modules_disabled = 1

As expected, the value is still set to"1".
Disable module loading after boot time

By configuring the /etc/sysctl.conf file we can disallow the loading of kernel modules at boot time. Simply add the related line, with the value"1" as shown in the example. Caveat: Things might break
Depending on your environment, you might be careful with using this option. It may be working very well on servers, but not on desktop systems. The reason is the type of usage is different, especially when it comes with loading new kernel modules. For example inserting a USB drive, mouse or network functionality might break. So before deploying the option, make sure you test these common use cases.
Hybrid option
Instead of enabling the option directly via /etc/sysctl.conf, it might be better to activate this setting after booting and loading required modules.
Your startup script could be looking like

#!/bin/sh/ # code by Gooken
sleep 45 # original text: 300; decrease this time, if usb and all modules are working fine, if not, test checkout lsmod and increase it
# insmod <module>
# insmod <module>
modprobe usb_storage
modprobe dm_zero
modprobe vfat
modprobe fat
modprobe isofs # DVD/CD/...
modprobe udf # DVD/CD/...
modprobe nls_iso8859_1
modprobe nls_cp437
modprobe glue_helper
modprobe dax
modprobe uinput
modprobe ahci
modprobe libahci
modprobe ecb
modprobe af_alg
modprobe algif_skcipher
modprobe lrw
modprobe cbc
modprobe aes_x86_64 # for USB, that might be LUKS-encrypted
modprobe twofish_common
modprobe twofish_x86_64_3way
modprobe twofish_x86_64
modprobe twofish_generic
echo 1 > /proc/sys/kernel/modules_disabled

Usually to get iptables working, these are the related modules: iptables, x_tables, iptable_filter.
Depending on your Linux distribution, the startup should be loaded as late as possible. If you have /etc/rc.local available, that is usually a safe bet.
Do you use this option already? Or found some other caveats? Like to hear your feedback in the comments.

In other words: write the small routine from above into a runlevel-init-script (for example this of /etc/init.d/linfw3 renamed to /etc/init.d/modules-disabled) right into the start function, where it is executed by the command start & (and not just the command "start") in the background. Before this is done, remove all code not needed anymore from this script. Now the script itself is executed not as usual by chkconfig, ntsysv7, the MCC (drakconf) or systemd, but only out of /etc/rc.local by the command "sh /etc/init.d/modules-disabled start".

OKkernel.printk.* in /etc/sysctl.conf
kernel.printk =0 6 7 0 # The four values in printk denote: console_loglevel, default_message_loglevel, minimum_console_loglevel and default_console_loglevel respectively.
0=emerg, 1=alert, 2=crit, ...
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time

OKRegelmäßig Logs analysieren
Speichere logs in vorgesehene Log-Server. Damit wird verhindert, dass Eindringlinge auf einfache Art Modifikationen an Log-Dateien vornehmen. Hier noch einmal namentlich die in Linux üblichen Log-Dateien und ihre Verwendung:

/var/log/message - Hier protokolliert mehr oder weniger das gesamte System
/var/log/auth.log - Authentifizierung
/var/log/kern.log - Kernel-Logs.
/var/log/cron.log - Crond-Logs (cron job).
/var/log/maillog - Mailserver-Logs
/var/log/boot.log - System-boot-Log
/var/log/mysqld.log - Logdatei des MySQL-Datenbankservers
/var/log/secure - Authentifizierung
/var/log/utmp oder /var/log/wtmp : Protokolliert die records-Dateien
/var/log/yum.log: Yum-Logdatei

OKPrevent too informative system information in logfiles
The system-log-level reach from debug over info, warning up to emerg. A detailed protocolling is something to think about, they can be read out by users as much as processes. For outputs of dmesg log-level "warning" might restrict delivered protocol-information:


OKUsing and customizing logcheck
The logcheck package in Debian is divided into the three packages logcheck (the main program), logcheck-database (a database of regular expressions for the program) and logtail (prints loglines that have not yet been read). The Debian default (in /etc/cron.d/logcheck) is that logcheck is run every hour and after reboots.
This tool can be quite useful if properly customized to alert the administrator of unusual system events. Logcheck can be fully customized so that it sends mails based on events found in the logs and worthy of attention. The default installation includes profiles for ignored events and policy violations for three different setups (workstation, server and paranoid). The Debian package includes a configuration file /etc/logcheck/logcheck.conf, sourced by the program, that defines which user the checks are sent to. It also provides a way for packages that provide services to implement new policies in the directories: /etc/logcheck/cracking.d/_packagename_, /etc/logcheck/violations.d/_packagename_, /etc/logcheck/violations.ignore.d/_packagename_, /etc/logcheck/ignore.d.paranoid/_packagename_, /etc/logcheck/ignore.d.server/_packagename_, and /etc/logcheck/ignore.d.workstation/_packagename_. However, not many packages currently do so. If you have a policy that can be useful for other users, please send it as a bug report for the appropriate package (as a wishlist bug). For more information read /usr/share/doc/logcheck/README.Debian.
The best way to configure logcheck is to edit its main configuration file /etc/logcheck/logcheck.conf after installation. Change the default user (root) to whom reports should be mailed. You should set the reportlevel in there, too. logcheck-database has three report levels of increasing verbosity: workstation, server, paranoid. "server" being the default level, paranoid is only recommended for high-security machines running as few services as possible and workstation for relatively sheltered, non-critical machines. If you wish to add new log files just add them to /etc/logcheck/logcheck.logfiles. It is tuned for default syslog install.
Once this is done you might want to check the mails that are sent, for the first few days/weeks/months. If you find you are sent messages you do not wish to receive, just add the regular expressions (see regex(7) and egrep(1)) that correspond to these messages to the /etc/logcheck/ignore.d.reportlevel/local. Try to match the whole logline. Details on howto write rules are explained in /usr/share/doc/logcheck-database/README.logcheck-database.gz. It´s an ongoing tuning process; once the messages that are sent are always relevant you can consider the tuning finished. Note that if logcheck does not find anything relevant in your system it will not mail you even if it does run (so you might get a mail only once a week, if you are lucky).

OKConfigure, where alerts are sent
Debian comes with a standard syslog configuration (in /etc/syslog.conf) that logs messages to the appropriate files depending on the system facility. You should be familiar with this; have a look at the syslog.conf file and the documentation if not. If you intend to maintain a secure system you should be aware of where log messages are sent so they do not go unnoticed.
For example, sending messages to the console also is an interesting setup useful for many production-level systems. But for many such systems it is also important to add a new machine that will serve as loghost (i.e. it receives logs from all other systems).
Root´s mail should be considered also, many security controls (like snort) send alerts to root´s mailbox. This mailbox usually points to the first user created in the system (check /etc/aliases). Take care to send root´s mail to some place where it will be read (either locally or remotely).
There are other role accounts and aliases on your system. On a small system, it´s probably simplest to make sure that all such aliases point to the root account, and that mail to root is forwarded to the system administrator´s personal mailbox.

OKFirefox: Copy the secure libssl*, libnss* and libnspr4* of tor-Browser (ESR) or out of an actual Firefox like 63 to Firefox (ESR, same version as tor-browser) into /usr/lib64/firefox/ followed by chown root:root and chmod 755 upon them.

OKProtecting against ARP-attacks
When you don´t trust the other boxes on your LAN (which should always be the case, because it´s the safest attitude) you should protect yourself from the various existing ARP attacks.
As you know the ARP protocol is used to link IP addresses to MAC addresses (see RFC826 for all the details). Every time you send a packet to an IP address an ARP resolution is done (first by looking into the local ARP cache then, if the IP isn´t present, in the cache by broadcasting an ARP query) to find the target´s hardware address. All the ARP attacks aim to fool your box into thinking, that box B´s IP address is associated to the intruder´s box´s MAC address; Then every packet that you want to send to the IP associated to box B will be send to the intruder´s box...
Those attacks (ARP cache poisoning, ARP spoofing...) allow the attacker to sniff the traffic even on switched networks, to easily hijack connections, to disconnect any host from the network... ARP attacks are powerful and simple to implement, and several tools exists, such as arpspoof from the dsniff package or arpoison.
However, there is always a solution:

Use a static ARP cache. You can set up "static" entries in your ARP cache with:

arp -s host_name hdwr_addr

By setting static entries for each important host in your network you ensure that nobody will create/modify a (fake) entry for these hosts (static entries don´t expire and can´t be modified) and spoofed ARP replies will be ignored. Detect suspicious ARP traffic. You can use arpwatch, karpski or more general IDS that can also detect suspicious ARP traffic (snort, prelude...).
Implement IP traffic filtering validating the MAC address.

OKSecure up services running on your system
SSH, Squid, FTP, X-Window-System, Display-Manager, Druckerzugriff, Mail-Dienst, BIND, Apache, Finger, chroot- and suid-paranoia, Cleartext-passwort-paranoia, deactivating NIS, deactivating RPC-services:

OKPackage signing

OKRemote vulnerability assessment tools
The tools provided by Debian to perform remote vulnerability assessment are:

nessus, raccess, nikto (whisker´s replacement)

By far, the most complete and up-to-date tools is nessus which is composed of a client (nessus) used as a GUI and a server (nessusd) which launches the programmed attacks. Nessus includes remote vulnerabilities for quite a number of systems including network appliances, ftp servers, www servers, etc. The latest security plugins are able even to parse a web site and try to discover which interactive pages are available which could be attacked. There are also Java and Win32 clients (not included in Debian) which can be used to contact the management server.

OKMake these changes within your router, in order to close lacks in security and to increase the internet trafffic speed,, 01.26.2024
Text in english:
Lassen Sie Ihren Router niemals in der Standardeinstellung.
Unser Leben ist immer mehr mit dem Internet verknüpft, und die Sicherheit und der Schutz der Privatsphäre bei unseren Online-Aktivitäten sind von größter Bedeutung. Vor diesem Hintergrund gibt es eine wichtige, aber oft übersehene Komponente in unserem Zuhause, die eine entscheidende Rolle für unsere digitale Sicherheit spielt: der Heimrouter. Dieses unscheinbare Gerät ist das Tor, durch das unsere gesamte Online-Kommunikation läuft. Es ist ein Stück Technik, das in Haushalten auf der ganzen Welt allgegenwärtig ist, aber seine Bedeutung für den Schutz unserer digitalen Privatsphäre und Sicherheit wird oft unterschätzt.
Ihr Router regelt den Internetverkehr für alle Geräte, die an Ihr Heimnetzwerk angeschlossen sind, wie Telefone, Laptops, Tablets, Konsolen und Smart-TVs. Ihr Router hat nicht nur Einfluss auf die Internetgeschwindigkeit aller angeschlossenen Geräte, sondern kann, wenn er nicht richtig konfiguriert ist, auch Sicherheitslücken aufweisen, die böswillige Akteure ausnutzen können, um Ihren Internetverkehr auszuspionieren. Glücklicherweise können Sie Ihren Router mit ein paar einfachen Schritten absichern und für die beste Geschwindigkeit und Verbindung optimieren.
Zugang zu den Einstellungen Ihres Routers
Um mit der Sicherung und Optimierung Ihres Routers zu beginnen, müssen Sie sich über Ihren Browser bei Ihrem Router anmelden.
Geben Sie zunächst die Standardnetzwerkadresse Ihres Routers in die Adresszeile Ihres Browsers ein.
Die häufigsten Router-Netzwerkadressen sind und
Einige weniger gebräuchliche Router-Adressen sind
Wenn keine dieser Adressen funktioniert, überprüfen Sie, ob die Standardnetzwerkadresse auf Ihrem Router aufgedruckt oder in der offiziellen Dokumentation Ihres Routers angegeben ist.
Die meisten Router stellen ihre offizielle Dokumentation auf ihren Support-Websites zur Verfügung. Hier finden Sie die Links zu den offiziellen Support-Websites für einige der gängigsten Router-Marken:
Wenn Sie einen Router eines anderen Herstellers verwenden, suchen Sie nach "[Router-Hersteller] Support", "[Router-Hersteller] Dokumentation" oder "[Router-Hersteller] Login", um die entsprechende Dokumentation zu finden.
Nachdem Sie die Standardnetzwerkadresse Ihres Routers gefunden und in die Adressleiste Ihres Browsers eingegeben haben, müssen Sie die Anmeldedaten Ihres Routers eingeben.
Wenn Sie Ihre Zugangsdaten nicht kennen, versuchen Sie es mit dem Benutzernamen "admin" und dem Passwort "password".
Sollte dies nicht funktionieren, überprüfen Sie, ob die Anmeldedaten auf Ihrem Router aufgedruckt sind oder in der offiziellen Dokumentation Ihres Routers stehen.
Nachdem Sie sich erfolgreich angemeldet haben, können Sie mit der Sicherung und Optimierung Ihres Routers beginnen, indem Sie den Schritten in dieser Anleitung folgen. Jeder Schritt enthält eine allgemeine Anleitung zur Durchführung, aber der spezifische Prozess kann je nach Router variieren. Wenn Sie spezifische Anweisungen benötigen, lesen Sie die offizielle Dokumentation Ihres Routers oder besuchen Sie die Support-Website.
Ändern Sie das Standardpasswort Ihres Routers.
Da die meisten Router ein schwaches Standardpasswort verwenden, sollten Sie als erstes dieses schwache Standardpasswort in ein sicheres, eindeutiges Passwort ändern, um Ihren Router zu schützen.
Die Option zum Ändern des Passworts finden Sie normalerweise in den Router-Einstellungen unter "Verwaltung", "Allgemein" oder "Drahtlos".
Bei einigen Routern müssen Sie nur das neue Passwort eingeben, um Ihr Passwort zu ändern. Bei anderen Routern müssen Sie das alte und das neue Kennwort eingeben und das Kennwort bestätigen. Bei einigen Routern müssen Sie auch Sicherheitsfragen und -antworten eingeben.
Wenn Sie aufgefordert werden, Sicherheitsfragen und -antworten einzugeben, ist es am besten, die Antworten als zufällige Passwörter festzulegen und sie in einem Passwortmanager zu speichern, um zu verhindern, dass sie durch Social-Engineering-Angriffe aufgedeckt werden.
Ändern Sie den voreingestellten öffentlichen Namen (SSID) Ihres Routers.
Der voreingestellte öffentliche Name oder Service Set Identifier (SSID) Ihres Routers enthält oft verräterische Informationen wie die Marke und Modellnummer Ihres Routers oder den Namen Ihres Internet Service Providers (ISP). Wenn Sie den öffentlichen Namen Ihres Routers in einen weniger aufschlussreichen Namen ändern, z. B. in ein zufälliges Wort oder eine Phrase, können Sie es böswilligen Angreifern oder Netzwerk-Schnüfflern erschweren, das Modell Ihres Routers herauszufinden.
Die Option zum Ändern des Routernamens befindet sich in der Regel im Abschnitt "Erweitert" oder "Drahtlos" in den Einstellungen Ihres Routers.
WPA3-AES-Verschlüsselung verwenden
Wireless Protected Access 3-Advanced Encryption Standard 3 (WPA3-AES) ist einer der sichersten drahtlosen Verschlüsselungsstandards, und Sie sollten sicherstellen, dass Ihr Router diesen Standard verwendet, sofern er unterstützt wird. Falls Ihr Router WPA3-AES nicht unterstützt, verwenden Sie WPA2-AES.
Die Option zum Überprüfen und Ändern des drahtlosen Verschlüsselungsstandards Ihres Routers befindet sich normalerweise im Abschnitt "Erweitert", "Drahtlos" oder "Drahtlose Sicherheit" der Router-Einstellungen.
Deaktivieren Sie UPnP
Universal Plug and Play (UPnP) ermöglicht es jedem Programm in Ihrem lokalen Netzwerk, Ports auf der Firewall Ihres Routers zu öffnen und Verbindungen zu Geräten außerhalb des Netzwerks herzustellen. In der Regel ist UPnP bei Routern standardmäßig aktiviert, da es neuen Geräten ermöglicht, sich automatisch dem Netzwerk anzuschließen und mit anderen Geräten zu verbinden. Milliarden von Geräten sind jedoch von den UPnP-Schwachstellen betroffen, und durch Deaktivieren von UPnP können Sie Ihr Netzwerk vor diesen Schwachstellen schützen.
Die Option zum Deaktivieren von UPnP finden Sie in der Regel in den Einstellungen Ihres Routers unter "Erweitert", "Drahtlos" oder "Drahtlose Sicherheit".
In den meisten Fällen wird die Deaktivierung von UPnP keine Probleme verursachen. Sollten jedoch Probleme mit bestimmten Anwendungen, Geräten oder Diensten auftreten, können Sie manuell Ports für diese Anwendungen, Geräte oder Dienste öffnen und an diese weiterleiten.
Die Option zum manuellen Öffnen von Ports befindet sich in der Regel in den Abschnitten "Erweitert", "Anwendungen und Spiele", "Netzwerk", "Netzwerkcenter", "Portweiterleitung", "Port-Triggering", "Virtuelle Server", "WAN" oder "Sicherheit" in den Einstellungen Ihres Routers.
Sobald Sie die Option zum manuellen Öffnen von Ports auf Ihrem Router gefunden haben, müssen Sie die TCP- und UDP-Ports finden, auf die die spezifische Anwendung, das Gerät oder der Dienst weitergeleitet werden soll, und diese Portdetails beim Öffnen des Ports auf Ihrem Router eingeben.
Sie können diese Portdetails finden, indem Sie nach [Name der Anwendung/des Geräts/des Dienstes] Portweiterleitung suchen.
Ändern Sie Ihren Standard-DNS
Jedes Mal, wenn Sie eine Verbindung zu einer Website oder einem Online-Dienst herstellen, ruft Ihr Gerät einen Domain Name Server (DNS) auf, um den Domainnamen in die für die Verbindung erforderliche Internetprotokolladresse (IP) zu übersetzen. Standardmäßig verwendet Ihr Router den DNS, der von Ihrem Internetdienstanbieter bereitgestellt wird. Diese vom ISP bereitgestellten Server sind jedoch oft langsamer als Alternativen und ermöglichen dem ISP, den Zugriff auf Websites auf DNS-Ebene zu blockieren. Durch die Wahl eines schnellen, datenschutzfreundlichen DNS, z. B. von Cloudflare, können Sie die DNS-Blockierung durch Ihren Internetanbieter vermeiden und von einer höheren Surfgeschwindigkeit profitieren.
Um Ihren Standard-DNS zu ändern, erhalten Sie die DNS-Serverdetails von Ihrem bevorzugten DNS-Anbieter. Die DNS-Server-Details für Cloudflare finden Sie hier.
Ändern Sie dann den Standard-DNS-Server in den Einstellungen Ihres Routers. Die Option zum Ändern des DNS befindet sich in der Regel unter "Erweitert", "Konnektivität", "Lokales Netzwerk", "Internet", "IPv6", "Netzwerk", "Netzwerkcenter" oder "WAN" in den Einstellungen Ihres Routers.
Wi-Fi-Kanalbreite einstellen
Wi-Fi arbeitet auf zwei Frequenzen - 2,4 Gigahertz (GHz) und 5 GHz. Jede dieser Frequenzen ist in mehrere Kanäle aufgeteilt. Durch Einstellen der Wi-Fi-Kanalbreite können Sie die Verbindungsgeschwindigkeit verbessern oder Störungen reduzieren.
Die Option zum Überprüfen und Ändern der aktuellen Wi-Fi-Frequenz und Kanalbreite finden Sie in der Regel im Abschnitt "Erweitert", "Wi-Fi-Verbindung" oder "Drahtlos" in den Einstellungen Ihres Routers.
Wenn Sie in einem Bereich wohnen, in dem viel Platz zwischen Ihnen und anderen Wi-Fi-Netzwerken ist (z. B. in einem Haus mit viel Platz zwischen den Nachbarn), versuchen Sie, die Kanalbreite (einige Router nennen dies "Bandbreite") auf 40 MHz zu ändern, wenn Ihre Wi-Fi-Frequenz 2,4 GHz beträgt, oder auf 80 MHz, wenn Ihre Frequenz 5 GHz beträgt, und sehen Sie, ob sich Ihre Wi-Fi-Geschwindigkeit dadurch verbessert.
Wenn es in Ihrer Nähe viele Wi-Fi-Netzwerke gibt (z. B. in einem Mehrfamilienhaus) und Sie Probleme mit Interferenzen haben, versuchen Sie, die Kanalbreite auf 20 MHz zu ändern, wenn Ihre Wi-Fi-Frequenz 2,4 GHz beträgt, oder auf 40 MHz, wenn Ihre Wi-Fi-Frequenz 5 GHz beträgt.
Wi-Fi 6 aktivieren
Wenn Sie Wi-Fi 6, den neuesten Wi-Fi-Standard, auf Ihrem Router aktivieren, können Sie Ihre Internetgeschwindigkeit erhöhen, eine bessere Verbindung herstellen und mehr Geräte anschließen.
Viele Router verwenden automatisch den neuesten Wi-Fi-Standard. Wenn Ihr Router jedoch ermöglicht, den Wi-Fi-Standard zu ändern, finden Sie diese Option in der Regel im Abschnitt "Drahtlos" der Router-Einstellungen. Bei einigen Routern wird Wi-Fi 6 als "802.11ax" bezeichnet.
Wenn Ihr Router Wi-Fi 6 nicht unterstützt, aktivieren Sie den neuesten verfügbaren Standard. Wi-Fi 5 kann als "802.11ac" und Wi-Fi 4 als "802.11n" aufgeführt sein.
WPS deaktivieren
Wi-Fi Protected Setup (WPS) ist ein Netzwerksicherheitsstandard, der bei vielen Routern standardmäßig aktiviert ist, aber erhebliche Sicherheitslücken aufweist.
Sie können überprüfen, ob Ihr Router WPS unterstützt, indem Sie nach einem physischen WPS-Knopf am Router suchen, die offizielle Dokumentation lesen oder nach "[Routername] wps" suchen.
Die Option zum Deaktivieren von WPS befindet sich in der Regel unter "Erweitert", "Erweiterte Einstellungen", "Schnittstelleneinstellungen", "Netzwerkcenter", "Drahtlos" oder "Drahtloseinstellungen" in den Einstellungen Ihres Routers.
Fernverwaltung deaktivieren
Fernverwaltung, Fernzugriff oder Fernverwaltung ist eine Funktion, die es Personen außerhalb Ihres lokalen Netzwerks ermöglicht, sich bei Ihrem Router anzumelden. Die meisten Router haben diese Funktion standardmäßig deaktiviert, aber Sie sollten immer die Einstellungen Ihres Routers überprüfen und sicherstellen, dass die Fernverwaltung deaktiviert ist.
Die Option zum Überprüfen und Deaktivieren der Fernverwaltung befindet sich in der Regel im Abschnitt "Erweiterte Einstellungen", "Zugriffsverwaltung", "Verwaltung", "Fernzugriff", "Fernverwaltung" oder "Webdienstverwaltung" in den Einstellungen Ihres Routers.
HTTPS-Authentifizierung aktivieren
Viele Router stellen die Verbindung zu ihren Einstellungen über das standardmäßige Hypertext Transfer Protocol (HTTP) her. Sie können diese Verbindung sicherer machen, indem Sie sie auf Hypertext Transfer Protocol Secure (HTTPS) umstellen.
Die Option zum Überprüfen und Aktivieren von HTTPS befindet sich in der Regel im Abschnitt "Verwaltung", "Systemsteuerung", "Netzwerk", "Sicherheit" oder "System" der Router-Einstellungen.
11. Aktivieren Sie die Firewall Ihres Routers.
Die Firewall Ihres Routers schützt Ihr Heimnetzwerk, indem sie die meisten Verbindungen aus dem Internet blockiert. Bei den meisten Routern ist die Firewall bereits aktiviert, aber es ist ratsam, die Einstellungen Ihres Routers zu überprüfen und sicherzustellen, dass die Firewall aktiviert ist.
Die Option zum Überprüfen und Aktivieren der Firewall Ihres Routers finden Sie in der Regel unter "Erweiterte Einstellungen", "Inhaltsfilterung", "Firewall" oder "Sicherheit" in den Einstellungen Ihres Routers.
Nachdem Sie die Firewall aktiviert haben, überprüfen Sie, ob Sie damit anonyme Internetanfragen und Port 113 filtern oder blockieren können. Wenn dies möglich ist, filtern oder blockieren Sie diesen Datenverkehr, um einige der potenziellen Wege zu schließen, die Eindringlinge nutzen könnten, um Ihren Router anzugreifen.
Einrichtung eines Gast-Wi-Fi-Netzwerks
Wenn Sie ein Gast-Wi-Fi-Netzwerk einrichten, können sich Besucher mit Ihrem Wi-Fi-Netzwerk verbinden, ohne Zugriff auf die Dateien und Computer in Ihrem Heimnetzwerk zu erhalten.
Die Option zum Einrichten eines Wi-Fi-Gastnetzwerks finden Sie in der Regel in den Einstellungen Ihres Routers unter "Erweitert", "Gastzugang", "Gastnetzwerk", "Einstellungen" oder "Wi-Fi-Verbindung".
Halten Sie die Firmware ihres Routers auf dem neuesten Stand
Die neueste Firmware auf Ihrem Router ist wichtig, um sich vor den neuesten Sicherheitsbedrohungen zu schützen, und kann auch die Leistung Ihres Routers verbessern.
Einige Router benachrichtigen Sie, wenn eine neue Firmware verfügbar ist, sobald Sie sich bei den Einstellungen Ihres Routers anmelden. Wenn Ihr Router Sie nicht automatisch benachrichtigt, finden Sie die Option zum Überprüfen und Aktualisieren der Router-Firmware in der Regel unter "Verwaltung", "Erweitert", "Firmware-Update" oder "Router-Update" in den Einstellungen Ihres Routers.
Einige Router bieten auch automatische Firmware-Updates an. Dies kann eine echte Möglichkeit sein, um über Firmware-Updates auf dem Laufenden zu bleiben. Bevor Sie jedoch automatische Firmware-Updates aktivieren, sollten Sie sich genau darüber informieren, wie diese auf Ihrem Router durchgeführt werden, um sicherzustellen, dass die Updates Ihre Verbindung nicht beeinträchtigen.
Einrichtung eines VPN auf Ihrem Router in Betracht ziehen
Wenn Sie bereits ein virtuelles privates Netzwerk (VPN) verwenden, können Sie es auf Ihrem Router einrichten, um Ihr gesamtes Heimnetzwerk und alle Geräte, die daran angeschlossen sind, zu schützen. Auf diese Weise können Sie nicht nur die Verschlüsselung des VPN-Verkehrs auf Geräte ausweiten, für die es keine VPN-Anwendungen gibt (z. B. Videospielkonsolen), sondern auch mehrere Geräte über eine einzige VPN-Verbindung betreiben (was nützlich sein kann, wenn Ihr VPN-Anbieter die Anzahl der Verbindungen begrenzt).
Die Option zur Installation eines VPN finden Sie in der Regel in den Einstellungen Ihres Routers unter "Erweitert", "VPN", "VPN-Client" oder "VPN-Server".
Unsere empfohlenen VPN-Anbieter finden Sie hier.
15) Installation einer angepassten Router-Firmware in Betracht ziehen
Die meisten Router-Firmware-Programme sind Closed-Source-Programme, d.h. es gibt keinen öffentlich zugänglichen Quellcode, der überprüft werden kann, und die Funktionen werden vom Anbieter der Firmware festgelegt. Wenn Sie mehr Einblick in den Quellcode Ihres Routers haben und die Funktionen anpassen möchten, sollten Sie die Installation einer benutzerdefinierten Router-Firmware in Erwägung ziehen.
Zwei der beliebtesten Open-Source-Lösungen für angepasste Router-Firmware sind OpenWrt und PfSense.
OpenWrt bietet mehr als 3.000 Pakete, die installiert werden können, um Ihrem Router zusätzliche Funktionen hinzuzufügen. Mit diesen Paketen können Sie Werbung auf Routerebene blockieren (was bedeutet, dass sie auf allen Geräten blockiert wird), Download- und Bandbreitenbeschränkungen festlegen, Ihren Router zu einem zentralen Knotenpunkt für die Heimautomatisierung machen und vieles mehr.
PfSense verfügt über mehr als 60 Pakete, die installiert werden können, um die Funktionalität des Routers zu erweitern. Ferner bietet PfSense integrierte Backup-Konfigurationen (mit denen Sie Ihre Router-Einstellungen einfach sichern können), spezifisches Traffic-Routing (mit dem Sie festlegen können, wie die einzelnen Geräte ihren Datenverkehr leiten sollen, z.B. können Sie festlegen, dass einige Geräte ihren Datenverkehr über Ihr VPN leiten und andere Geräte Ihr VPN nicht verwenden), einfache Konfigurationen von Firewall-Regeln und vieles mehr.
Einige Router sind nicht mit benutzerdefinierter Firmware kompatibel, daher müssen Sie prüfen, ob Sie OpenWrt oder PfSense auf Ihrem Router installieren können. Sie können in der offiziellen Dokumentation Ihres Routers nachsehen oder nach "[Routername] openwrt" oder "[Routername] pfsense" suchen, um herauszufinden, ob Ihr Router benutzerdefinierte Firmware unterstützt.
Wenn Ihr Router benutzerdefinierte Firmware unterstützt, suchen Sie in den Suchergebnissen nach Installationsanweisungen und folgen Sie diesen, um OpenWrt oder PfSense auf Ihrem Router zu installieren.
Schränken Sie die physische Sichtbarkeit Ihres Routers ein.
Ihr Router enthält viele physikalische Informationen, die von Angreifern ausgenutzt werden könnten. Zum Beispiel könnte die Form oder der Text auf Ihrem Router die Marke und Modellnummer verraten. Sie sollten daher Maßnahmen ergreifen, um die Sichtbarkeit Ihres Routers zu verbergen.
Im Idealfall sollte er an einem vollkommen unzugänglichen Ort aufgestellt werden, z. B. in einem Schrank oder in einem separaten Raum. Zumindest sollte er in einem Bereich stehen, der nicht durch Fenster eingesehen werden kann.
Helfen Sie anderen, ihren Router sicherer und schneller zu machen
Wenn Sie diese Tipps befolgen, können Sie schneller und sicherer im Internet surfen. Geben Sie diese Tipps auch an Freunde, Verwandte und andere Personen weiter, die ihre Router-Einstellungen aktualisieren müssen. Quelle: Make These Changes To Your Router to Patch Security Holes and Increase Internet Speed,

Lesermeinung Gooken
Unter vielem anderen zusätzlich zu beachten:

Welche Server sind mit dem Router verbunden? Dritte? Gastserver? Gäste? Sperrung/Austragung/Deaktivierung
Ist der Adressraum IPv6 zugelassen (statische Adressen)? Wir emfehlen nur IPv4.
Neben UPnP: Mediaserver, NAS-Server, ...: aktiveren oder deaktivieren.
Ist eine WPA3-Verschlüsselung möglich?
Aktivierte Router-Firewall (Verhinderung der Nutzung verbundener Geräte als Server, geräteweise Einstellung)?
Individuelle Benutzereinstellungen?
Automatische Updates für den Router: aktivieren/deaktiveren
Automatische Verbindungsaufnahme zum ISP (Internet Service Provider, Internet-Zugang-Anbieter)? deaktivieren
Wartung/Reparatur des Routers durch Dritte? deaktivieren
... (!)
Gehen Sie sorgsam alle möglichen Router-Einstellungen durch und halten Sie eventuell Rücksprache mit ihrem ISP!

OKNetwork scanner tools
Debian does provide some tools used for remote scanning of hosts (but not vulnerability assessment). These tools are, in some cases, used by vulnerability assessment scanners as the first type of "attack" run against remote hosts in an attempt to determine remote services available. Currently Debian provides:

nmap, xprobe, p0f, knocker, isic, hping2, icmpush, nbtscan (for SMB /NetBIOS audits), fragrouter, strobe (in the netdiag package), irpas

While xprobe provide only remote operating system detection (using TCP/IP fingerprinting, nmap and knocker do both operating system detection and port scanning of the remote hosts. On the other hand, hping2 and icmpush can be used for remote ICMP attack techniques.
Designed specifically for SMB networks, nbtscan can be used to scan IP networks and retrieve name information from SMB-enabled servers, including: usernames, network names, MAC addresses...
On the other hand, fragrouter can be used to test network intrusion detection systems and see if the NIDS can be eluded by fragmentation attacks.

OKVirtual Private Networks
A virtual private network (VPN) is a group of two or more computer systems, typically connected to a private network with limited public network access, that communicate securely over a public network. VPNs may connect a single computer to a private network (client-server), or a remote LAN to a private network (server-server). VPNs often include the use of encryption, strong authentication of remote users or hosts, and methods for hiding the private network´s topology.
Debian provides quite a few packages to set up encrypted virtual private networks:

vtun, tunnelv (non-US section), cipe-source, cipe-common, tinc, secvpn, pptpd, openvpn, openswan (

The OpenSWAN package is probably the best choice overall, since it promises to interoperate with almost anything that uses the IP security protocol, IPsec (RFC 2411). However, the other packages listed above can also help you get a secure tunnel up in a hurry. The point to point tunneling protocol (PPTP) is a proprietary Microsoft protocol for VPN. It is supported under Linux, but is known to have serious security issues.
For more information see the VPN-Masquerade HOWTO (covers IPsec and PPTP), VPN HOWTO (covers PPP over SSH), Cipe mini-HOWTO, and PPP and SSH mini-HOWTO.
Also worth checking out is Yavipin, but no Debian packages seem to be available yet.

OKReaction in the case of user-idle-state,
Now that we´ve restricted the login options for the server, lets kick off all the idle folks. To do this, we´re going to use a bash variable in /etc/profile. There are some reasonably trivial ways around this of course, but it´s all about layering the security.

echo "Idle users will be removed after 15 minutes"
echo "readonly TMOUT=900" >> /etc/profile.d/
echo "readonly HISTFILE" >> /etc/profile.d/
chmod +x /etc/profile.d/

OKRestrictions for cron and at,
In some cases, administrators may want the root user or other trusted users to be able to run cronjobs or timed scripts with at. In order to lock these down, you will need to create a cron.deny and at.deny file inside /etc with the names of all blocked users. An easy way to do this is to parse /etc/passwd. The script below will do this for you.

echo "Locking down Cron"
touch /etc/cron.allow
chmod 600 /etc/cron.allow
awk -F: ´{print $1}´ /etc/passwd | grep -v root > /etc/cron.deny
echo "Locking down AT"
touch /etc/at.allow
chmod 600 /etc/at.allow
awk -F: ´{print $1}´ /etc/passwd | grep -v root > /etc/at.deny

OKLockdown Cronjobs
Cron has it´s own built in feature, where it allows to specify who may, and who may not want to run jobs. This is controlled by the use of files called /etc/cron.allow and /etc/cron.deny. To lock a user using cron, simply add user names in cron.deny and to allow a user to run cron add in cron.allow file. If you would like to disable all users from using cron, add the ´ALL´ line to cron.deny file.

# echo ALL >>/etc/cron.deny
Cron Scheduling Examples in Linux:

OKSysctl Security,
Next we need to have a look inside /etc/sysctl.conf and make some basic changes. If these lines exist, modify them to match below. If they don´t exist, simply add them in. If you have multiple network interfaces on the server, some of these may cause issues. Test these before you put them into production. If you want to know more about any of these options, install the kernel-doc package, and look in Documentation/networking/ip-sysctl.txt

# Kernel sysctl configuration file
# /etc/sysctl.conf
# test with sysctl -p /etc/sysctl.conf
# additionally from resp. # Turn on execshild
# kernel.exec-shield = 1
# Controls the System Request debugging functionality of the kernel kernel.sysrq =0 # Controls whether core dumps will append the PID to the core filename. # Useful for debugging multi-threaded applications. kernel.core_uses_pid = 0 kernel.dmesg_restrict = 1
kernel.randomize_va_space = 1
kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
kernel.printk =4
kernel.shmall =-1
kernel.shmmax =134217728
# Allow for more PIDs (to reduce rollover problems); may break some programs 32768
kernel.pid_max = 65536
kernel.printk_ratelimit = 5 # period to wait in seconds
kernel.printk_ratelimit_burst = 60 # max. amount same time
vm.overcommit_memory=2 # mouseclick-fast
vm.overcommit_ratio=150 # 4 GB RAM + 2 GB SWAP, mouseclick-fast
# or: vm.overcommit_kbytes= =3
vm.oom_dump_tasks =0 =1000 =200000
# Optimization for port usefor LBs
# Increase system file descriptor limit
fs.file-max = 65535
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog = 1280
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_window_scaling = 1
net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
# Increase system IP port limits
net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
# Tune IPv6
net.ipv6.conf.default.router_solicitations = 0
net.ipv6.conf.default.accept_ra_rtr_pref = 0
net.ipv6.conf.default.accept_ra_pinfo = 0
net.ipv6.conf.default.accept_ra_defrtr = 0
net.ipv6.conf.default.autoconf = 0
net.ipv6.conf.default.dad_transmits = 0
net.ipv6.conf.default.max_addresses = 0
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.rmem_max = 8388608
net.core.wmem_max = 8388608
net.core.netdev_max_backlog = 5000
# net.core.default_qdisc=sch_fq_codel
# BBR # net.core.default_qdisc=fq # net.ipv4.tcp_congestion_control=bbr # If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1
# to be able to eject via the device eject button (magicdev)

# BBR - Netwerkturbo für Linux
# Die neue Flusskontrolle erscheint aber auch ideal für Server im lokalen Netzwerk, die hin und wieder die Netzwerkbandbreite voll ausschöpfen sollen, etwa bei der Übertragung großer Dateien bei NAS-Geräten, Nextcloud- oder # Streamingservern.
# # net.core.default_qdisc=fq
# Increase Linux auto tuning TCP buffer limits
# min, default, and max number of bytes to use
# set max to at least 4MB, or higher if you use very high BDP paths
net.core.rmem_max =212992
net.core.wmem_max =212992
net.core.netdev_max_backlog = 5000
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 134217728
kernel.shmall = 4294967296
kernel.randomize_va_space = 2
net.ipv4.conf.all.log_martians=1# sysctl.conf(5) for more details.
net.ipv6.conf.lo.use_tempaddr = 0
# Disables IP dynaddr
net.ipv4.ip_dynaddr = 1
# Disable ECN
net.ipv4.tcp_ecn = 1
# Controls source route verification
net.ipv4.conf.all.rp_filter =1
net.ipv4.conf.default.rp_filter = 1

# Do not accept source routing
net.ipv4.conf.default.accept_source_route = 0

# Controls the System Request debugging functionality of the kernel
kernel.sysrq =0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 0

kernel.dmesg_restrict = 1
# If you set this variable to 1 then cd tray will close automatically when the
# cd drive is being accessed.
# Setting this to 1 is not advised when supermount is enabled
# (as it has been known to cause problems)
# removed to fix some digital extraction problems
# dev.cdrom.check_media=1

# to be able to eject via the device eject button (magicdev)

# Disable netfilter on bridges.
#net.bridge.bridge-nf-call-ip6tables = 0
#net.bridge.bridge-nf-call-iptables = 0
#net.bridge.bridge-nf-call-arptables = 0
net.ipv4.ip_forward =0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.tcp_max_syn_backlog =512
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.tcp_syncookies = 1

net.ipv4.ip_local_port_range = 2000 65000
# Increase TCP max buffer size setable using setsockopt()
net.ipv4.tcp_rmem = 4096 87380 8388608
net.ipv4.tcp_wmem = 4096 87380 8388608
net.core.rmem_default =212992
net.core.wmem_default =212992
net.ipv4.tcp_fin_timeout =3600
net.ipv4.tcp_keepalive_time =7200
net.ipv4.tcp_keepalive_probes =7
net.ipv4.tcp_syn_retries =6
net.ipv4.tcp_retries1 =1
net.ipv4.tcp_retries2 =3
net.ipv4.tcp_retrans_collapse =1
net.ipv4.tcp_sack =1
net.ipv4.ip_default_ttl =64
net.ipv4.ipfrag_time =30
net.ipv4.ip_no_pmtu_disc =0
net.unix.max_dgram_qlen =10
vm.overcommit_memory =2
vm.overcommit_ratio=150 # 4 GB RAM + 2 GB SWAP, mausklick-schnell
# or: vm.overcommit_kbytes= =3
kernel.ctrl-alt-del =1
kernel.panic =0
kernel.acct =4 2 30
kernel.printk =4
kernel.shmall =-1
kernel.shmmax =134217728 =1000 =200000

OKGooken´s excellent DNS-security-concept, details from much further below: "DNS-surf-mask" local (etc/hosts/) for fundamental domain-IP including some blocks, followed by pdnsd (the local DNS-proxy/DNS-server with adjustable long-time storage) and finally tordns (the anonymizing DNS-Server of Tor (the Onion Router), tor-resolve)

OKDeactivate IPv6,
IPv6 is part of a Linux-kernel since 2.6.28. Such addresses do never change. If IPv6 is configured wrong, it can cause troubles within a network and for DNS-queries.
IPv6 is enabled on Ubuntu by default. Most firewalls (like LINFW3) only apply to IPv4, and completely ignore IPv6. If you don´t use IPv6 at all, you can prevent it loading at boot time by changing alias net-pf-10 ipv6 to alias net-pf-10 off in /etc/modprobe.d/aliases resp. /etc/modprobe.conf and scheduling a reboot.

RedHat Enterprise Linux / CentOS / Fedora Core:
/etc/modprobe.conf, change line:

alias net-pf-10 ipv6
alias net-pf-10 off
alias ipv6 off

and restart the computer.

RedHat Enterprise Linux / CentOS / Fedora Core / Mandriva:
Add the following entry to /etc/sysconfig/network:


... and restart the system.

OKktune: Kernel-Tuning resp. by boot-options ( /etc/init.d/ktune, if not already done in /boot/grub/menu.lst)), so make it mouseclick-fast
nano /etc/sysctl.d/01-disable-ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1

nano /etc/sysctl.d/10-ptrace.conf

nano /etc/sysctl.d/50-kptr-restrict.conf

nano /etc/sysctl.d/armci.conf
# Controls the maximum shared segment size, in bytes, siehe auch /etc/sysctl.conf
kernel.shmmax = 134217728

nano /etc/sysctl.d/libvirtd
The kernel allocates aio memory on demand, and this number limits the
# number of parallel aio requests; the only drawback of a larger limit is
# that a malicious guest could issue parallel requests to cause the kernel
# to set aside memory. Set this number at least as large as
# 128 * (number of virtual disks on the host)
# Libvirt uses a default of 1M requests to allow 8k disks, with at most
# 64M of kernel memory if all disks hit an aio request at the same time.
# fs.aio-max-nr = 1048576

Start ktune
sh /etc/init.d/ktune start

OKDeactivate IPv6
This article describes, howto deactivate the IPv6 support for Linux and Windows. Dies kann aus Sicherheitsgründen sinnvoll sein, solange man IPv6 noch nicht produktiv einsetzt. Damit kann verhindert werden, dass man eine IPv6 Adresse erhält, sobald ein IPv6 Router Advertisement Daemon in einem Netz verfügbar ist. Außerdem sind bestehende Firewall Rules oft nicht für IPv6 gültig. In diesem Fall hätte man dann unter Umständen Dienste per IPv6 zugänglich die man eigentlich mit einer IPv4 Regel unterbunden hat. Unter Linux gibt es das eigene Kommando "ip6tables" zur Verwaltung der IPv6 Firewall Rules.
1 Ubuntu
2 RHEL / CentOS
In Ubuntu 10.04, 12.04, 14.04 und 16.04 ist IPv6 direkt in den Kernel kompiliert und wird nicht als Modul geladen. Die einfachste Methode um IPv6 zu deaktivieren ist den passenden sysctl Parameter zu setzen. Temporär kann dies mit folgendem Kommando erfolgen:

echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6

Um diese Einstellung dauerhaft vorzunehmen bietet es sich an auf die sysctl Funktionalitäten zurückzugreifen. Dafür einfach eine Datei namens /etc/sysctl.d/01-disable-ipv6.conf anlegen mit folgendem Inhalt:

net.ipv6.conf.all.disable_ipv6 = 1

Nach dem nächsten Reboot ist IPv6 dann deaktiviert.

Am besten kann dies mit dem Kommando "ip addr show" überprüft werden. Es darf dann keine Einträge mit dem Text "inet6" mehr geben.

ip addr show | grep inet6


Unter RHEL 6 / CentOS 6 (with many patches/updates by Jonny Hughes, NY, kann die Deaktivierung von IPv6 ident wie unter Ubuntu via sysctl erfolgen (siehe oben).

In RHEL 4 / CentOS 4 ist IPv6 als Modul integriert. Um dieses zu deaktiveren einfach folgende Zeile in der Datei /etc/modprobe.conf hinzufügen:

install ipv6 /bin/true

Die Überprüfung, ob es geklappt hat, kann mit dem Kommando "ip addr show | grep inet6" oder alternativ mit dem Kommando

lsmod | grep -i ipv6

OKTCP Wrapper,
Next we need to have a look inside /etc/sysctl.conf and make some basic changes. The TCP wrappers can provide a quick and easy method for controlling access to applications linked to them. Examples of TCP Wrapper aware applications are sshd, and portmap. A restrictive example is below. This example blocks everything but ssh:

echo "ALL:ALL" >> /etc/hosts.deny
echo "sshd:ALL" >> /etc/hosts.allow
echo "ALL:ALL:DENY" >> /etc/hosts.allow

OKTurn on SELinux
Security-Enhanced Linux (SELinux) is a compulsory access control security mechanism provided in the kernel. Disabling SELinux means removing security mechanism from the system. Think twice carefully before removing, if your system is attached to internet and accessed by the public, then think some more on it.
SELinux provides three basic modes of operation and they are.
Enforcing: This is default mode which enable and enforce the SELinux security policy on the machine.
Permissive: In this mode, SELinux will not enforce the security policy on the system, only warn and log actions. This mode is very useful in term of troubleshooting SELinux related issues.
Disabled: SELinux is turned off.
You can view current status of SELinux mode from the command line using ´system-config-selinux´, ´getenforce´ or ´sestatus´ commands.
# sestatus
If it is disabled, enable SELinux using the following command.

setenforce enforcing

It also can be managed from ´/etc/selinux/config´ file, where you can enable or disable it. Bootparameter in /boot/grub/menu:lst: "selinux=1"

AppArmor or SELinux?,
Why does Ubuntu not use SELinux, ... I see it so too.... I have no trust anymore. . Tom-L. Beiträge form year 2007 ( five years before Snowden´s publications...): 1181.
Many thanks, I am going to reed it having time next morning..
Soso, NSA aso. Hmm, I would for myself wouldn´t bother about ... I mean, ok, of it would be our government Bundesregierung... Bundes-trojan :lol:
No, but to be serious: Security against third parties may be higher, if institutes like NSA are involved, but I feel the shabby smell with it too.

Maybe someone can convince us from the opposite.
For me America means (... the governmental organizations): I like everything to know and to snoop upon.
Avatar von Murdoc
I also see this....I simple do not have any trust anymore:(

Tom L.: I mean having read, that SELinux is an official part of the kernel. Therefore I believe, that Kernel developer ( and more than only the same one) has studied the source code carefully.

glasen: Sorry, but I can not stand your paranoia.
Obviously NSA become a member to develope SELinux, but as Linux is open-source free software, it is impossible for NSA to keep any backdoors secretly open.
If there were one line code, that could not stand Peer-Review, SELinux would never be a part of the kernel-sources!

Murdoc: I believe this too, but they have studied everything, but there are also kernel-exploits :-/

If secret services would do this, intergrating backdoors within the kernel ..., then certainly not by a project like SELinux, but through other parts of the kernel.
comm_a_nder: Hey, boys, think about it.

Mosurft: Generally I do not feel well connecting SELinux made by NSA, even for - I do believe - noone can study and analyze each part of the source-code. Anyoune does always not notice anything, otherwise there would be no lacks in security and even a secret service has got the most interest in getting and checking a PC with the click on the buttom, in order to check out PCs...
I´d like to know, who runs SELinux on a computer with Ubuntu and how it functions! And if someone does not like SELinux, what about Grsecurity? Did anyone check it out?
Greetings, Mo.

comm_a_nder: If i said it in the wrong way and you feel attacked in person, it makes me sorry.
Back to the theme: Especially the parts of software added by NSA, have been checked out well. But as I told you, there were surely much more effective ways for the boys from "Crypto City" to migrate code into kernel-source.

Murdoc. As we are going on paranoidal, I ask for the BIOS.
Now, as ASUS offers a Minimal Linux to browse, the question is posed, what the BIOS is all enabled to do?

Mosurft: If I do not trust the BIOS, then I better do not use any computer...! ;) ...

Introduced mainboard ITX-220 comes with in- and deactivable BIOS-LAN-Chip and Coretemp for the regulation of the temperature... Next point: SELinux. As our excurs shows, it is suspicously not needed. So we´d prefer to deactivate it right within the boot-paramters.

OKReview Logs Regularly
Move logs in dedicated log server, this may prevents intruders to easily modify local logs. Below are the Common Linux default log files name and their usage:

/var/log/message - Where whole system logs or current activity logs are available.
/var/log/auth.log - Authentication logs.
/var/log/kern.log - Kernel logs.
/var/log/cron.log - Crond logs (cron job).
/var/log/maillog - Mail server logs.
/var/log/boot.log - System boot log.
/var/log/mysqld.log - MySQL database server log file.
/var/log/secure - Authentication log.
/var/log/utmp or /var/log/wtmp : Login records file.
/var/log/yum.log: Yum log files.

OKShared Memory (shm und tmpfs, siehe unsere /etc/fstab im noch Folgenden),
By default, /run/shm is mounted read/write, with permission to execute programs. In recent years, many security mailing lists have noted many exploits where /run/shm is used in an attack against a running service, such as httpd. Most of these exploits, however, rely on an insecure web application rather than a vulnerability in Apache or Ubuntu. There are a few reasons for it to be mounted read/write in specific configurations, such as real-time configuration of a Synaptics touchpad for laptops, but for servers and desktop installations there is no benefit to mounting /run/shm read/write. To change this setting, edit the /etc/fstab file to include the following line:

none /run/shm tmpfs defaults,ro 0 0

resp. :

A common exploit vector is going through shared memory (which can let you change the UID of running programs and other malicious actions). It can also be used as a place to drop files once an initial breakin has been made. An example of one such exploit is available here.
Open /etc/fstab/:

tmpfs /dev/shm tmpfs defaults,ro 0 0

This will mount /run/shm in read-only mode. Note: MANY programs will not work if you make /run/shm read-only (e.g. Google Chrome).If you have a good reason to keep it writable, put this line in /etc/fstab instead:

none /run/shm tmpfs rw,noexec,nosuid,nodev 0 0

This will mount /run/shm writable, but without permission to execute programs, without permission to change the UID of running programs, or to create block or character devices in the namespace.

The changes will take effect the next time you reboot, unless you remount /run/shm with the command sudo mount -o remount /run/shm.

OKSSH Settings,
While the SSH daemon is secure enough for most people, some may wish to further enhance their security by changing certain sshd settings. Some settings which could be changed to enhance security are given here. All changes, unless otherwise stated, are made in the /etc/ssh/sshd_config file. Lines with a pound sign (#) are commented and not read. To edit this file from a terminal:

sudoedit /etc/ssh/sshd_config

For a Gnome editor, press Alt+F2 and use:

gksudo gedit /etc/ssh/sshd_config

For a KDE editor, press Alt+F2 and use:

kdesu kate /etc/ssh/sshd_config

Please remember, after making any changes, sshd must be restarted, which can be done from the terminal with this command:

service ssh restart (CentOS: sh /etc/init.d/sshd restart)
..., .

OKConfiguring bastille,
The Bastille Hardening program "locks down" an operating system, proactively configuring the system for increased security and decreasing its susceptibility to compromise. Bastille can also assess a system´s current state of hardening, granularly reporting on each of the security settings with which it works.

File permissions module: Yes (suid)
Disable SUID for mount/umount: Yes
Disable SUID on ping: Yes
Disable clear-text r-protocols that use IP-based authentication? Yes Enforce password aging? No (situation dependent, I have no users accessing my machines except me, and I only allow ssh keys)
Default umask: Yes
Umask: 077
Disable root login on tty 1-6: Yes
Password protect GRUB prompt: No (situation dependent, I´m on a VPS and would like to get support in case I need it)
Password protect su mode: Yes
default-deny on tcp-wrappers and xinetd? No
Ensure telnet doesn´t run? Yes
Ensure FTP does not run? Yes
display authorized use message? No (situation dependent, if you had other users, Yes)
Put limits on system resource usage? Yes
Restrict console access to group of users? Yes (then choose root)
Add additional logging? Yes
Setup remote logging, if you have a remote log host, I don´t so I answered No
Setup process accounting? Yes
Disable acpid? Yes
Deactivate nfs + samba? Yes (situation dependent)
Stop sendmail from running in daemon mode? No (I have this firewalled off, so I´m not concerned)
Deactivate apache? Yes
Disable printing? Yes
TMPDIR/TMP scripts? No (if a multi-user system, yes)
Packet filtering script? Yes
Finished? YES! & reboot

OKLink the dns resolver nslookup to the anonymizing tor-resolve
We are going to write about Tor (The Onion Router) at the end of our excurs. If you already use Tor, secure up your system by linking nslookup with the DNS-anonymizing resolver tor-resolve:
make a copy of nslookup: cp -f /usr/bin/nslookup /usr/bin/nslookup-save
links nslookup with tor-resolve: ln -sf /usr/bin/tor-resolve /usr/bin/nslookup.
You can do the same for dns-resolving host and dig too.
Notice, that the output of those programs is not the same (but in all cases they do contain the IP for the domain requested).
For programs that do not work past this linking, enter the ip-domain-pairs in /etc/hosts and adjust /etc/nsswitch.conf. Read more about /etc/hosts at the end of our excurs.
At last, think about setting ACL-rights upon these files, see our section for setfacl.

OKFor our "Universal-Linux" (backported sytem) an actual kernel and actual kernel-firmware can be downloaded from PCLinuxOS, a backport of Fedora Core, ROSA, Mageia and Mandriva, or or and other URL. We strongly recommend LONGTERMED kernel-5.4.249 (pclos2023) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: Version 008)), glibc (el8, pclos) and kernel-firmware (pclos) and kernel-firmware-extra (pclos) and Konqueror (el6) with the intergrated adbocker resp. actual Firefox (ESR, the backported company edition) from or with extensions named on this webside in the following.

After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".

OKDeinstallation of programs (also see section "Updating/Updates"): If sudo, rpcbind, portmapper, sshd SSH-Daemon, rsh, telnet, avahi-daemon or cups-browsed daemon of the CUPS-system is not needed for example, it is possible to deactivate or deinstall them: "dpkg ..." , "rpm -e [nodeps]" source:

Quota limits the memory consumption for a single user and/or group, so that an "overflow" of a volume resp. partition is prevented. For quota the kernal must be configured. If CONFIG_QFMT_V2 is set as modul, kernel modul quota_v2.ko is added to /etc/modules:

sudo echo quota_v2 >>, /etc/modules

For quota following packages have to be installed:

sudo aptitude install quota quotatool

If there is not any quota upon NFS-mounted file systems resp. RPC-quota-server, the service RPC-Remote-Quota-Server can be deactivated:

sudo systemctl disable quotarpc.service # sh /etc/init.d/quota... stop # and disable

In /etc/fstab the mount-options of the /fs file system are added with the options for the usage of journaling quota:


/fs /mountpoint ext4 optionen,usrjquota=aquota.usr/,jqfmt=vfsv0|1

Use usrjquota for quota of user and/or grpjquota for groups. Volumes with a size of 4TB use quota-format vfsv1.

Finally restart the system, if the file system can not be mounted by the following command:

sudo mount -o remount /mountpoint

More details and source:

Deactivate as much as possible, that means all modules, that are not needed. The preconfiguration for single user is already set for the everyday life. This might differ from special requirements and development and a backup-kernel should be installed parallely too, if the configuration and the boot fails.

More details and source:
We are describing, how to configure and compile the kernel-source in our section for updates.

OKBlocking of modules (resp. by "blacklist modul-name" within /etc/modules.d).

OKDienste mit systemd
Removal and deactivation
Deactive all services, that are not needed. Either deinstall complete packages or, if a deinstallation is not wanted, use systemctl (alternatively: ntsysv, chkconfig or MCC#system-services (mdv2010) for deactivation).

More about security-settings for services by systemd and source: .

OKat & cron
Resrict the users, that are enable to create and modify at (batch) and cron jobs, enable them within /etc/at.allow and /etc/cron.allow by entering them with their login-name line-by-line (only for users, that are enabled).

OKHardend compilation
Flags, that can be set for the configure-Script.


´CFLAGS= -g -O2 -fPIE -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´CXXFLAGS= -g -O2 -fPIE -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´LDFLAGS= -fPIE -pie -Wl,-z,relro -Wl,-z,now´

Shared Library

´CFLAGS= -g -O2 -fpic -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´CXXFLAGS= -g -O2 -fpic -fstack-protector-strong -Wformat -Wformat-security -Werror=format-security´
´LDFLAGS= -fpic -Wl,-z,relro -Wl,-z,now´

If option "-fpic" does not work, use "-fPIC".

OKEvtl. deinstall ( rpm -e packagename or rpm -e --nodeps packagename )
ConsoleKit (el6, except /usr/libexec/ck*session-info*) rpcbind (el6, mdv2010.2), sudo (el6, mdv2010.2), portmap (el6, mdv2010.2), dayplanner, mmc-agent (mdv2010.2), tracker (mdv2010), codeina (mdv2010), xguest (mdv2010), wu-ftpd (mdv2010), anonftp (mdv), mdkonline (mdv2010), f-spot (does not work on the base of updated mono (rosa2014.1), abrt (el6), funguloids (mdv2010.2), banshee (rosa,mdv) and amarok (rosa,mdv): unavailable for el6, both ones do not work, qmmp (el6, mdv) does not work, lxde (mdv2010, lxpanel tries to get inpredictable root-access).

OKStart only the processes needed. Use net_applet from NetworkManager and not nm-applet. There might be an error in the skript for NetworkManager. Replace everything except last line in start() with "/usr/bin/NetworkManager --login-level=INFO".

Commercial modules: Linux and the NSA
tgruene, 16.10.2013
Bei dem letzten Newslink über Oracles Versuch, dem DOD den Vorteil kommerzieller Software zu erkläeren, kam mir der Gedanke, dass auf einem.typischen Linuxrechner eine ganze Reihe Module laufen, fuer die kein Quellcode zur Verfuegung steht (die dafür von US-amerikanischen Firmen zur Verfügung gestellt werden und somit vermutlich auch gesetzestreue (aka NSA-freundliche) Hintertüren enthalten), seien es Nvidia/ATI-Treiber, Virtualbox oder unter Debian vermutlich fast der gesamte Inhalt von firmware-linux-nonfree.
Mich interessiert, wie gut der Kernel und die Module voneinander abgeschottet sind - wie leicht ist es, solch einem Modul z.B. einen Keylogger einzubauen, der meine Passwörter beim Tippen abfängt und übers Internet irgendwohin schickt? Dass die NSA meine Emails liest, ist unverschämt, stört mich aber an sich nicht weiter, sonst würde ich ja keine Emails an Leute schreiben, deren Schlüssel ich nicht kenne, doch meinen GPG-Schlüssel und die Passwörter abzuhören - dagegen habe ich ganz ordentlich etwas.

OKTerminal -> lsmod
blacklist mei
blacklist it87 # disabled for Mainboard ASUS ITX-220
blacklist i2c_dev # ITX-220
blacklist coretemp # ITX-220
blacklist snd-usb-audio
blacklist snd_pcm_oss
blacklist snd_mixer_oss
blacklist snd_seq_oss
blacklist pata_acpi
blacklist rivatv
blacklist i82875p_edac
# do not use "Boot Protocol" drivers, we prefer usbhid
# and they cause problems when loaded together with usbhid (#37726, #40861)
blacklist usbkbd
blacklist usbmouse
# disable PC speaker by default
# pcspkr is the standard driver, while snd-pcsp is the ALSA driver
blacklist pcspkr
blacklist snd-pcsp
blacklist pcspkr
blacklist snd-pcsp
blacklist vhost
blacklist vhost_net
blacklist tpm_infineon
blacklist tmp_tis
blacklist tmp_tis_core
blacklist i82875p_edac
blacklist pcspkr
blacklist snd-pcsp
blacklist rivatv
blacklist i82875p_edac
blacklist pcspkr
blacklist it87
blacklist i2c_dev
blacklist coretemp
blacklist vhost_net
blacklist tpm_infineon
blacklist tmp_tis
blacklist tmp_tis_core
blacklist i82875p_edac
blacklist pcspkr
blacklist snd-pcsp
blacklist rivatv
blacklist i82875p_edac
blacklist pcspkr
# watchdog drivers
blacklist i8xx_tco
# framebuffer drivers
blacklist aty128fb
blacklist atyfb
blacklist radeonfb
blacklist i810fb
blacklist cirrusfb
blacklist intelfb
blacklist kyrofb
blacklist i2c-matroxfb
blacklist hgafb
blacklist nvidiafb
blacklist rivafb
blacklist savagefb
blacklist sstfb
blacklist neofb
blacklist tridentfb
blacklist tdfxfb
blacklist virgefb
blacklist vga16fb
blacklist matroxfb_base
# ISDN - see bugs 154799, 159068
blacklist hisax
blacklist hisax_fcpcipnp

OKPartition-check during each system boot)
This is described later on, but it might be such important, to tell it alrady at this place.
We assume, that the partitions got already encrypted with LUKS/dm-crypt (we are describing later on, how this can be made, if not). But the check will work upon unencrypted ones too. To be careful, we are going to check out partitions with file systems like ext4 each system boot, especially thinking of all the updating with rpm-packages in future.

tune2fs -c 1 /dev/mapper/cryptedhomepartition


reiserfstune -m 1 /dev/mapper/cryptedroot_resp_home_resp_bootpartition


tune2fs -d 7 /dev/mapper/cryptedroot_resp_home_resp_bootpartition

For unencrypted and not internal kernel-partitions replace the container-file "/dev/mapper/cryptedhomepartiton" with a device file like /dev/sda1.

Also activate in the device configuration file /etc/fstab the check each boot. Do this line (partition) by line (partition) more or less regarding "priorities&uot; of the check, by setting a positive interger not equal to zero behind the number (zero) for the (deactivated) dump at the end of the line: "0 1" for the root-partition, "0 1" or "0 2" for the home-partition and so on.
An example of the content of /etc/fstab as a whole is given further below.

OKApache-Webserver (httpd.conf) (analogous: LAN/Samba (samba.conf, database server/MySQL (my.cnf and mysld.conf) and other server, print-server (CUPS) see end of this website )
Now it is the turn for the webserver, almost Apache httpd 1.3 or 2.0. Basic functions are enriched by many loadable modules.
To see, which modules are really needed, have a look into /etc/apache/httpd.conf (CentOS 6 and CentOS 7: /etc/httpd/httpd.conf):

LoadModule autoindex_module /usr/lib/apache/1.3/
LoadModule dir_module /usr/lib/apache/1.3/
LoadModule cgi_module /usr/lib/apache/1.3/
LoadModule userdir_module /usr/lib/apache/1.3/
LoadModule proxy_module /usr/lib/apache/1.3/

Superfluos modules can be commented in by "#" plus blank at the very beginning of each line. Apache will work faster and will consumpt less memory the less modules are needed..

Only those modules should be loaded, that are really needed. The kind of server determines, which ones. Nevertheless there are modules, a standard webserver does not need:
* lib_status (presents a server-internal status)
* libproxy (an enormous security risk, as the webserver realizes a proxy for the accesses of other server)
* mod_cgi (to start so-called cgi-scripts. Such scripts are rarely used today as they are one more security risk)
* mod_userdir (generates a web-directory for each user)
In Debian, Apache 2.0 uses the file /etc/apache2/apache2.conf for configuration. All modules symbolically linked in /etc/apache2/mods-enabled are loaded by default. To deactivate such modules, the link has to be deleted.
After the config-files were changed,

apache -t

shows, if the configuration-syntax still is OK.

/etc/init.d/apache restart
/etc/init.d/apache2 restart # C6 (el6): sh /etc/init.d/httpd restart

restarts the server, therewith the changes can take into effect.

Notice, that SuSE makes it the other way. Apache-modules are loaded within the file /etc/sysconfig/apache2. Look out in this file for the line with "APACHE_MODULES" and delete the entries not needed. After this,

has to be started out of the shell. Restart Apache by
rcapache2 restart

Get more infos about the task for each module, have a look at und
More reports
Apache: Howto stop unwanted referer,

OKSecure Apache/PHP/Nginx server
Edit httpd.conf file (CentOS: /etc/httpd/conf/httpd.conf) and add the following:

ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header always unset X-Powered-By

Restart the httpd/apache2 server on Linux
You must install and enable mod_security on RHEL/CentOS server. It is recommended that you edit php.ini and secure it too.

Der DDoS-Schutzdienst ist in der Lage, selbst die komplexesten DDoS-Angriffe abzuwehren.

Der Lastenausgleich geht häufig mit Ausfallsicherheitsmechanismen einher: Indem Sie einen Cluster mit der entsprechenden Kapazität aufbauen und die Anforderungen auf einzelne Systeme verteilen, können Sie die Ausfallsicherheit erhöhen Ausfallsicherheit, wenn der Ausfall eines Systems erkannt wird und die Anforderungen automatisch an ein anderes System gesendet werden.

OKHMAC authentication
HMAC stands for keyed-hash message authentication code. A message authentication code protects against the modification of transmitted data by an attacker, who can read the data in real time. TLS use hash values (hence the H in HMAC) out of the numerous possibilities for the reliable authentication of messages.

HMAC Authentication in Web API - Dot Net Tutorials
Understanding the Keys used in HMAC Authentication. Uses of HMAC Authentication in Web API. How does the HMAC Authentication work?

What is HMAC authentication and how does it make VPN safer?
HMAC stands for hashed message authentication code and is an important factor in VPN security. Learn why strong HMAC auth matters for VPN security.

OKStation-to-Station (STS) protocol, Cipher Block Chaining:
CBC stands for Cipher Block Chaining, which is every message depending on the previous passes. So can yourself short interruptions of the channel can be quickly noticed. Diffie-Hellman key exchange: A symmetric encryption scheme is used, the key of which is the negotiation of Diffie-Hellman key exchanges with elliptic curves. The server and the app use intelligent math to negotiate and verify the secret key, which is then used to encrypt the data for the entire session. Station-to-Station (STS) protocol: In public-key cryptography, the Station-to-Station (STS) protocol is a cryptographic key agreement scheme. The protocol is based on classic Diffie-Hellman, and provides mutual key and entity authentication. Unlike the classic Diffie-Hellman, which is not secure against a man-in-the-middle attack, this protocol assumes that the partieOKs have signature keys, which are used to sign messages, thereby providing security against man-in-the-middle attacks. In addition to protecting the established key from an attacker, the STS protocol uses no timestamps and provides perfect forward secrecy. It also entails two-way explicit key confirmation, making it an authenticated key agreement with key confirmation (AKC) protocol.

OKPretty Good Privacy
PGP encryption uses a serial combination of hashing, data compression, symmetric-key cryptography, and finally public-key cryptography; each step uses one of several supported algorithms. Each public key is bound to a username or an e-mail address. The first version of this system was generally known as a web of trust to contrast with the X.509 system, which uses a hierarchical approach based on certificate authority and which was added to PGP implementations later. Current versions of PGP encryption include both options through an automated key management server.

OKPerfect Forward Secrecy
With Perfect Forward Secrecy, even if a dedicated opponent is somehow able to attack the computer or server during a session, they will not be able to decrypt traffic from past sessions. The provider uses namely with each connection a new secret key. Even if you remain connected to the Server for a long period of time, the provider automatically changes the key every 60 minutes. This key renewal process every 60 minutes guarantees "Forward Secrecy". So if an attacker succeeds in compromising the key, in the worst case scenario, he could track the data for up to 60 minutes. Then everything is secret again.

OKShadowsocks SOCKS5 proxy (all servers) Shadowsocks Proxy can be used by the provider through the application (Mac OS X, Windows, Linux, iOS, Android, Windows 10 Mobile). In addition, there is an advantage that "shadow socks" can not even be blocked in highly restrictive networks.

OKSmart DNS Proxy (all servers)
There are currently two common ways to circumvent geo-blocks of foreign video-on-demand services such as Hulu, Netflix or Vudu. The first way is to use SmartDNS services. The term SmartDNS hides on innovative technology that has been specifically designed to bypass the geo-blocking barrier. To configure the SmartDNS service, there is only a minimal change to the TCP/IP properties of the network connection. Then, the user can freely use many suspended streaming services regardless of their current whereabouts.

Eigene DNS-Server ohne Festplatten (RAM-Disk). Zusätzlich werden OpenDNS-Server (IPv6) verwendet (Auswahlmöglichkeit in den Einstellungen). Der Dienst schützt zuverlässig vor dem bekannten DNS-Leck.,39079.html

Eine eigene Software verhindert zuverlässig Angriffe bekannter DNS-Leak-Methoden.

Der Service schützt zuverlässig vor dem bekannten WebRTC-Leak-Problem.

OKSpeicherschutz-Funktion (Schutz vor Serverausfällen):
Diese Funktion ist in der Lage, den verfügbaren Arbeitsspeicher so aufzuteilen und laufende Programme so voneinander zu trennen, dass ein Programmierfehler oder Absturz eines einzelnen Programms nicht die Stabilität anderer Programme oder des Gesamtsystems beeinträchtigt (Speicherschutz-Mechanismus).
Serverausfall (Schutzmöglichkeiten):
Unterspannungsschutz (UVP)
Überspannungsschutz (OVP)
Kurzschlusssicherung (SCP)
Überlastschutz (OPP)
Überstromschutz (OCP)
Überhitzungsschutz (OTP)
Japanische 105°C Kondensatoren (Lebensdauer vom Netzteil)
Brandmelder (im Serverraum eingebaut)
Diese Schutzfunktionen (Netzteil) können die meisten Serverausfälle verhindern.

OKLogin methods, Two-Factor-Authentification (TOTP)
Two factor authentication can be implemented for SSH access or other application login, it will improve login security by adding a second factor of authentication, that is the password is typically known as something you know, while the second factor may be a physical security token or mobile device which acts as something you have. The combination of something you know and something you have ensures that you are more likely who you say you are.

There are custom applications available for this such as Duo Securityand Google Authenticator as well as many others. These typically involve installing an application on a smart phone and then entering the generated code alongside your username and password when you authenticate.
Google Authenticator can be used for many other applications than just SSH, such as for WordPress login with third party plugin support.
4096 bit encryption/Eliptic-cuves-cryptography/
Two-Factor-Authentfication/connection (SSL/TLS encryption)/full IPv6
Support/HMAC-Authentifizierung/Cipher Block Chaining/Diffie-Hellman-Schlüsselaustausch/STS-Protokoll (Station-to-Station)/Pretty Good Privacy/Perfect Forward
Secrecy/encryption tool (Cloud Storage/Backup)/Failure Backup-solution/NAT-Firewall/
DDoS-protection/Lastverteilung/DNS-Leak/IP Leak/WebRTC Leak/WebRTC Leak/
Windows Login Leak/Arttifical Intelligence (NeuroRouting™)/Zero-Knowledge-Beweis/
Fiat-Shamir-Protokoll/Schnorr-Identification/SecureCore-function (security kernel)/
4096 bit encryption:
a) FreeOTP Authenticator
b) Authy
c) Microsoft Authenticator
d) LastPass Authenticator
e) Google Authenticator

OKKill hack-attempts against the Secure Shell
In order to prevent hundrets of sshd-tasks starting at the same by a hacking attempt, add the line

MaxStartups 3:30:10

into the configuratio file /etc/ssh/sshd_config. This restriction is effective but complicated. The values in the example mean, that 2 (= 1. value minus 1) unauthenticated (and therefore in the Login-state assembled) sshd-connections are always allowed.
A third connection (= 1. value) is blocked by a probability of 30% (second value).
The probaliity of ending a connection is increasing linear, until up from 10 opened (built-up) connections (third value) each attempt to build up a connection is blocked at all at the rate of 100 in percent.

Notice, that useres already logged in do not refer to these values! The values in the example from above should suffer the need for each small and middle-sized server. If there are plenty of SSH-user, higher values might be recommended, for example:

MaxStartups 10:30:50 6


OKForbid root-access for SSH
Change the ssh-configuration:

nano /etc/ssh/sshd_config

and set

PermitRootLogin no

And to make it most secure, we add the following lines:

# Only permit user admin.
AllowUsers admin
# Generally block root or user of group root:
DenyUsers root
DenyGroups root

This lines can be added at the beginning of the file. Enhance the entry AllowUser, if further on more user are permitted for the SSH-login. New user are separated by a blank and not colon,. for example:

AllowUsers admin user1 user2 user3 Now the ssh-daemon gets started:

service ssh restart


/etc/init.d/ssh reload

CentOS: sh /etc/init.d/sshd restart

Now we open a new session and try to login as root. By using the correct password, we get the message:
Access denied

OKSecure Linux Server
From Qloc Wiki
Here you find significant basics to secure a Debian/Ubuntu System. Except the tips listed here there are a lot of security precautions to make attacks more difficult.
Generally for all public systems essential services should only be accessible from the outside. Unused services like webserver or MySQL Server should eiteher be inaccessible with the help of iptables-rules or be deactivated.

1 Secure keywords (passwords)
2 SSH Port: secure up by change
3 Creating SSH-keys
4 Opening of required ports only
5 Prevention of Brute Force Attacks
6 Installing security updates

Right here we´d like to mention the server configuration files for many more security settings (like access/login, ACL-access-rights, log, bandwidth and server-ports (now "client"-ports) to open). Also search for adequate modules resp. securing server-extensions.

- Apache: mod_evasive against DDoS, mod_cband as traffic-Cop
- Fail2Ban for the https-vHosts- resp. htaccess authentification
- 24/7 monitoring with SMS alerting through an SMS Gateway via monit
- encrypted backups in two different computer centers
- instead of unencrypted ftp: SFTP. Transfer gets encrypted through sshd.
Configure an ftp-server working with ssl-encryption, it es similar to POP3 and IMAP. Then the transfers get secure, noone can read data.
Forbid anonymous accounts and run the ftp server in a chroot environment. This keeps away most annoynances.
Use ssh instead of ftpd just relying on ssh too.
Normalerweise ist das Verbinden mit einem FTP-Server mit SSL nicht schwieriger als mit einem ohne.
Just configure the ftp-client for the SSL-ecnryption and he will connect. The everyting works like connecting with a ftp-server without SSL. One will be just asked, if the certificate is accespted.
SSH use port 22. It is possible to upload files too, but the user once logged in has the possibility to access the system- except the account is chrooted.

OKMemory-protection-function (protection against server-breakdowns):
This function is be abled to separate the RAM into areas and distinguish processes the way, that programmers or breakdowns do not affect the stability of other processes or impairs the whole system (RAM-protection).
Low-Voltage-protection (UVP)
Overvoltage-protection (OVP)
Short circuit protection: (SCP)
Overload-protection (OPP)
Over current stream protection (OCP)
Over heat protection (OTP)
Japanese 105 degree condensators (lifetime of the netadapter)
Fire detectors (server room)

Chroot ( Befehl chroot ): is part of commands resp. communication-protocols like mount, ssh, stfp and effects one of the most serious hard threats! Help is given by sandboxes and/or/including the locking of the shells of the user (unfortunately a sandbox only, if a program works upon sandboxes, for example tor-browser does not (but migh have its own one). We are going to talk about this problem!

Chroot and Chroot-Jail (Chroot-Enviroment, Chroot-Sandbox)
Step by step:

Chroot and Chroot-Jail,,
A chroot on Unix operating systems is an operation, that changes the apparent root directory for the current running process and its children. A program that is run in such a modified environment cannot name (and therefore normally cannot access) files outside the designated directory tree. The term "chroot" may refer to the chroot system call or the chroot wrapper program. The modified environment is called a chroot jail.

Linux - Keeping users inside their home directory - Super User
If you use chroot like this, everything the user needs (executables, libraries, etc.) has to be within the chrooted directory. I´ve seen ftp-servers set up that way, with static executables copied into a bin directory.

How to configure ProFTPD to chroot users to /home directory or any ...
If you´re using ProFTPD user on a Linux server, you most certainly have wondered, how you can configure the FTP server to chroot (or jail) it´s users to a particular ...

Furthermore past the configuration the server can run in a lower, but even more safer runlevel like runlevel 3 (command: "init 3") than common runlevel 5 or 6. mgetty resp. mingetty: terminal-switch ( ALT + CTRL + F1 up to F7), server configuration file (if it is possible there), systemd (sysctl) or chkconfig (to set the runlevel for the server during system boot)

OKCoreboot - flashing the BIOS: Manufacturer BIOS-replacement by the Linux-System,
"System security already defines upon the hardware-level. Even today it might be difficult to find out WLAN-chipsets open source driver are provided. Exceptions like for AR9170 chipset are provided, same for the BIOS.
Idally Coreboot can replace the actual BIOS for a open-source, free BIOS. Otherwise hidden backdoors are risked usable by secret services.
We can be only really "secure", if open-source is used by hard- and software. [...].
Therefore I am urged for the project "hardened Linux" to make an exception and like to repeat, that this project does not protect against directed secret services.
I...] As I wrote with the first article, a secure operating system can only be obtained using Linux resp. Unix." # u.a.
Many BIOS-variants are associated with software failures. Getting rid of them often implies updates from manufacturer. Beneath these unintended restrictions basic approaches exist to implement more functions in proprietary firmware (BIOS resp. UEFI) in future, that make afraid of more conscious restrictions of functionality.
With Coreboot the system-startup-time can also be declined.

OKCopy the Bios-flashing file (.ROM) from manufacturer-DVD into the boot-partition too, in order to get loaded after pressing the function-key or the Bios-setup to flash, if required!

OKShorten the boot-time for your Linux rapidly: For grub, exchange the value for the automized election to five or three seconds only.
Initscripts: use systemd or care for a short list through chkconfig by deleting as many scripts out of the list you can find in /etc/init.d as possible, therefore use chkconfig --del. Also repair listed loop-errors of such scripts in that way warned agains during the system-boot.
If you put order into the list of init-scripts, Linux like C6 (CentOS 6) will boot in less than one minute (upon Intel Celeron in less than 20 seconds) even faster than Debian!
Of course more boot time for the typing in of the password for the decryption of the LUKS-encrypted root-partition, the partition-checks and for the boot (startup) of the Desktop Environment at the end of the boot has still to be considered (added)!

Disable any network-connection-build-up, until the system got booted!

OKhal resp. haldaemon extends the boot-startup-time for C6 (Centos 6) resp. "previous" mdv (2010-2012) until the KDE-login (kdm) without regarding the LUKS-passwort-login and harddisc-check by fsck (we thought of each boot) serious hard from around 20 seconds up to more than one minute ! hal resp. hald (haldaemon) might work faster by creating the file haldaemon within /etc/sysconfig with the follwoing include:

--child-timeout=15 # Begrenzung der Kindprozesse --daemon=no

In /etc/dbus-1/system.d/hal.conf forbid some up to now allowed methods and devices, eventually like LightSensor and WakeOnLan, and in another subdirectorys haldaemon referring files like *dell-computer* eventually can just be deleted (removed)..

OKConfiguration of the CD/DVD-Rom-devices

SUBSYSTEM=="block", KERNEL=="sr0", SYMLINK+="cdrom", GROUP="cdrom", MODE:="0777"

OKKonfiguration der Netzwerkschnittstelle /etc/udev/rules.d/70-persistent-net.rules for mainboard ASUS ITX-220

# This file was automatically generated by the /lib/udev/write_net_rules
# program, run by the persistent-net-generator.rules rules file.
# You can modify it, as long as you keep each rule on a single
# line, and change only the value of the NAME= key.
# Drakx-net rule for eth0 (cb:ad:b3:81:1a:53)

SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="cb:ad:b3:81:1a:53",ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
# PCI device 0x10ec:0x8168 (r8169)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="0b:01:ab:ba:3b:15", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"

First entry configures the interface as we hope NAME="eth0" for udev for the original mac-address in ATTR..., this is not the mac-address renewed by macchanger within /etc/rc.local later on, else set this exchanged one (renewed by macchanger already at this place), the second entry configures the PCI-interface of ITX-220 for, as we hope, NAME="eth1". This PCI-entry, or both entries, might be automatically generated by udev. Lookout, that belonging NAME is always eth0 is always the NAME in the first case (first entry) and eth1 in the last case (second entry) (and never eth0).



DHCP_CLIENT=dhclient -4 -cf /etc/dhcp/dhclient.conf eth0
MACADDR=e1:a0:b0:cd:a1:b8 # original OR "black masked" hardware address (ethernet-card): Try /etc/rc.local. "macchanger --mac e1:a0:b0:cd:a1:b8 eth0" and set in Linfw3 "your IP" to the by this mac-address new resp. origin pregiven one (local IP) next (or past) the connection-build-up. The computer (system) might break down after all these changes, but after some newstarts, the system will gain its old´n good stability right back.

More network troubleshooting:,3389115

OKIntall the actual netprofile (rpm: omv2015, pclos, rosa2014.1) only; never choose other (elder) buggish versions!

OKIf the interface is eth0 only, delete the following files:

rm -df /etc/netprofile/profiles/default/network/var/lib/dhcp/dhclient-eth1.leases
rm -df /etc/netprofile/profiles/default/network/var/lib/dhcp/dhclient-eth1.leases

OKRemove all other interfaces except eth0 from drbl.conf, choose eth0 only, if eth0 is the net-interface
nano cd /etc/drbl/drbl.conf

There should be only one interface named eth0 be configured, even shown in MCC. If the net-adapter does not build up the connection, look out for all passages in files with eth not valued zero like eth1, eth2 and so on! Use grep -R to find such files and remove them (such passages)! Update dhclient (el6) and netprofile including all netprofile-plugins to netprofile (rosa2016.1, omv4)! If there are still problems, have a hort time to plug out the net adapter of the DSL-Modem to plug it in again for a new connection build-up with the DSL-provider. Now the net adapter should work fine and, as we hope forever!



link-local # link-local # In a computer network, a link-local address is a network address that is valid only for communications within the network segment (link) or the broadcast domain that the host is connected to. Link-local addresses are most often assigned automatically through a process known as stateless address autoconfiguration or link-local address autoconfiguration. Link-local addresses are not guaranteed to be unique beyond a single network segment. Routers therefore do not forward packets with link-local addresses.
For protocols that have only link-local addresses, such as Ethernet,[dubious - discuss] hardware addresses assigned by manufacturers in networking elements are unique, consisting of a vendor identification and a serial identifier. Link-local addresses for IPv4 are defined in the address block in CIDR notation. In IPv6, they are assigned the address block fe80::/10,

The Tool Preload accelerates not the boot time, but program starts or autostarts (under "Start programs"), that are used often or regulary awaiting past each system login. This simple service protcols the program favorites and loads them into the RAM right before. The program start accelerates by this. Preload is obtainable as rpm and deb packet.

A manual configuration is not essential, but possible ("/etc/preload.conf") (start preload for example within /etc/rc.local)

OKrkhunter, chkrootkit, Lynis - security check
With lynis an audit can simply be made:

lynis audit system --quick

After the first run one gets confronted with the total result named "Hardening index". "Warnings" and "Suggestions" howto secure resp. harden the system are shown during the scrolling.

OKOptimized usage of graphic cards and monitors in Linux
,, 30.04.2021
[...] The standard installed Open-Source-graphic-card-driver are sufficient for the most user, for more optimized performance the proprietary driver from manufacturer migh be recommended.

OKDelete X Windows on server
X Windows on server is not required. There is no reason to run X Windows on your dedicated mail and Apache web server. You can disable and remove X Windows to improve server security and performance. Edit /etc/inittab and set run level to 3. Finally, remove X Windows system, enter:

# yum groupremove "X Window System"
On CentOS 7/RHEL 7 server use the following commands:
# yum group remove "GNOME Desktop"
# yum group remove "KDE Plasma Workspaces"
# yum group remove "Server with GUI"
# yum group remove "MATE Desktop"

OKX-Server: Howto secure up: Host- and cookie-based access
he number 1 rated high risk system vulnerability noted by the recent ISS audit of BNL was the use of "xhost +" or an open X display. Using "xhost +" allows anyone the ability to watch your keystrokes, capture windows and insert command strings into your windows. This situation is particularly bad when you have root access to a machine. There is no legitimate reason to run "xhost +". Most people will be using ssh to make their connections to other machines than their desktop and ssh tunnels X11 traffic, eliminating any need for "xhost +". To use turn on X11 forwarding with ssh call it like:

ssh -X host.domain

This can be turned on by default by adding the following to $HOME/.ssh/config:

Host *
ForwardX11 yes

Make sure of the following things:

You should not set your DISPLAY variable, ssh will do it for you. It will look something like:


X11 forwarding must be allowed by the SSH server. Check /etc/ssh/sshd_config for a line saying "X11Forwarding yes".
On Linux/UNIX machines, the "xhost +" command can be issued at many locations, so you will have to remember, where you did it or find the location to turn it off (I believe that all recent version of the Linux X server have "xhost -" as the default). If you cannot find where the "xhost +" command is issued, adding a call to "xhost -" somewhere will turn it off.

Some of the most common files where you can find the "xhost +" command are in the X11 startup files. These file are


Also, doing a man xinit will give you more information on startup files which are executed when one starts up X11.

If you want to test to see whether you have fixed the "xhost +" problem on your systems, log into another unix computer, disable the ssh X11 encryption channel by resetting the $DISPLAY environment variable back to the server port 0 of your desktop, and then try starting up an xclock. For example, type the following commands

setenv DISPLAY

If an xclock pops up on your screen, you still have not properly enabled X11 access control. You should contact your computer liaison for further assistance.

To enable access control (set xhost -) on Tektronix Xterminals bring up the "Setup" menu (F3 key). In the "Configuration Summaries" pull down menu select "X Environment". On the X Environment page toggle "Enable Access Control" to "Yes". Return to the Main Menu and then "Save Settings to NVRAM". The terminal will now reject all X connections except those coming from the machine you connect to via XDM and those coming through tunnels to you XDM host created when you ssh to another machine. If you run "xhost +" on the XDM host, then you will again disable access control, so you should make sure that you do not do this in any of the X setup files (see the UNIX discussion above).

The following is an e-mail from Ofer Rind, who tells us how to enable X11 authentication on NCD Xterminals. Thanks Ofer for you post.
- Disabling Xhost+ on an Xterminal
(NB: This was tried on both NCD and Textronix Xterminals and seemed to work; however, your mileage may vary. The description is for an NCD.) Press Alt-F3 to pull up the Xterminal control bar. Select "Change Setup Parameters" from the "Setup" menu. When the setup parameters window pops up, select "Access Control." This will expand the menu, revealing an option called "Enable Access Control." Turn this on by pressing the adjacent square. Then, at the bottom of setup window, press the "Apply" button to effect the change. This sometimes takes several seconds, be patient. When the arrow cursor returns, close the setup window and return to your previously scheduled program. X access control should now (hopefully) be enabled. NOTE that this access control can be superseded by a user who logs in on the Xterm and sets "xhost +".

So our settings typed in terminal and /etc/rc.local after login to superuser by command "su" are (reset by "xhost +" on problems past the login):

xhost -
xhost +si:localuser:local-username

xhost +si:localuser:lokaler-Benutzername# lokaler-Benutzername: nur user, d.h. alle anderen Benutzer sind gesperrt, darunter Benutzer root, surfuser und toruser
xhost -si:localuser:root # bereits mit "xhost -"
xhost -si:localuser:toruser # bereits mit "xhost -"
xhost -si:localuser:surfuser # bereits mit "xhost -"
xhost -inet6:user@ # Das @-Zeichen muss bei inet6 (IPv6) im Unterschied zu si hinter dem Benutzernamen user stehen.
xhost -nis:user@ # nis: Secure RPC network

Output of command xhost:
access control enabled, only authorized clients can connect

Do not set it for any other user, even NOT root! These simple two rules (for example in /etc/rc.local) make the system once more mouseclick-fast..

OKX-Server, cookie-based access: MIT-MAGIC-COOKIE-1
When using xdm (X Display Manager) to log in, you get a much better access method: MIT-MAGIC-COOKIE-1.
A 128-bit "cookie" is generated and stored in your .Xauthority file. If you need to allow a remote machine access to your display, you can use the xauth command and the information in your .Xauthority file to provide access to only that connection. See the Remote-X-Apps mini-howto, available at

Cookie-based access
The cookie-based authorization methods are based on choosing a magic cookie (an arbitrary piece of data) and passing it to the X display server when it is started; every client that can prove having knowledge of this cookie is then authorized connection to the server.
These cookies are created by a separate program and stored in the file .Xauthority in the user´s home directory, by default. As a result, every program run by the client on the local computer can access this file and therefore the cookie that is necessary for being authorized by the server. If the user wants to run a program from another computer on the network, the cookie has to be copied to that other computer. How the cookie is copied is a system-dependent issue: for example, on Unix-like platforms, scp can be used to copy the cookie.
The two systems using this method are MIT-MAGIC-COOKIE-1 and XDM-AUTHORIZATION-1. In the first method, the client simply sends the cookie when requested to authenticate. In the second method, a secret key is also stored in the .Xauthority file. The client creates a string by concatenating the current time, a transport-dependent identifier, and the cookie, encrypts the resulting string, and sends it to the server.
The xauth application is a utility for accessing the .Xauthority file. The environment variable XAUTHORITY can be defined to override the name and location of that cookie file.
The Inter-Client Exchange (ICE) Protocol implemented by the Inter-Client Exchange Library for direct communication between X11 clients uses the same MIT-MAGIC-COOKIE-1 authentication method, but has its own iceauth utility for accessing its own .ICEauthority file, the location of which can be overridden with the environment variable ICEAUTHORITY. ICE is used, for example, by DCOP and the X Session Management protocol (XSMP).

Fetch the magic cookie entry relevant to your local display:
[garth@server1 ~]$ echo xauth add xauth list ${DISPLAY#localhost}
xauth add server1.localdomain/unix:12 MIT-MAGIC-COOKIE-1 2928a6e16b7d6d57041dcee632764b72
Switch user to "oracle" and add the entry into your /home/oracle/.Xauthority file (by copying the ‘xauth add…´ line from above:

[garth@server1 ~]$ sudo su - oracle
[oracle@server1 garth]$ echo $DISPLAY
[oracle@server1 garth]$ xauth add server1.localdomain/unix:12 MIT-MAGIC-COOKIE-1 2928a6e16b7d6d57041dcee632764b72
xauth: creating new authority file /home/oracle/.Xauthority

After this your X-session should work…try something like "xcalc" or "firefox" to test it first and you should be ready to go!

OKAlso use ssh to allow secure X connections. This has the advantage of also being transparent to the end user, and means that no unencrypted data flows across the network.

OKAlso disable any remote connections to your X server by using the ´-nolisten tcp´ option to your X server. This will prevent any network connections to your server over tcp sockets.
Take a look at the Xsecurity man page for more information on X security. The safe bet is to use xdm to login to your console and then use ssh to go to remote sites on which you wish to run X programs.

kdm: /usr/share/config/kdm/kdmrc

ServerArgsLocal=-deferglyphs 16 -nolisten tcp

OKX11: Graphic card adjustments, especially for opengl- and SDL-games
Adjustment influences system and graphic card.
BIOS-Setup: Northbridge -> COMBO-mode
Start driconf (hardware see data sheed)
1) performance
+ synchronisation follows the verticale frequency rate, so that programs choose the minimal one
+ buffer object reuse: Enable reuse of all size of buffered objects
2 ) display (screen) quality
+ activate S3TC texture compression, even if unsupported by software
3) on failures
+ activate the immediate emptyting of the batch buffer each call for char
+ activate the immediate empying of the GPU-buffer
+ disable throttling on first batch after flush
+ force GLSL extension default behavior to "warn"
+ disable backslash-based line continuation in GLSL-source
+ disable dual source blending
+ perform code generation at shader link time

OKDeny administrative remote access
/etc/security/access.conf should be changed the way, that a remote access into an administrative account becomes impossible. By this user have to start the program su (or sudo) for administrative rights, so that there is always a track to check.
Add the following line into /etc/security/access.conf:


Do not forget to activate pam-module each service (or the standard configuration), if you want changings within /etc/security/access.conf get noticed.

OKHow to Check Password Expiration of User
In Linux, user´s passwords are stored in ´/etc/shadow´ file in encrypted format. To check password expiration of user´s, you need to use ´chage´ command. It displays information of password expiration details along with last password change date. These details are used by system to decide when a user must change his/her password. To view any existing user´s aging information such as expiry date and time, use the following command.

#chage -l username
To change password aging of any user, use the following command.
#chage -M 60 username
#chage -M 60 -m 7 -W 7 userName
-M Set maximum number of days
-m Set minimum number of days


OKChecking Accounts for Empty Passwords
Any account having an empty password means its opened for unauthorized access to anyone on the web and it´s a part of security within a Linux server. So, you must make sure all accounts have strong passwords and no one has any authorized access. Empty password accounts are security risks and that can be easily hackable. To check if there were any accounts with empty password, use the following command.

cat /etc/shadow | awk -F: ´($2==""){print $1}´

OKKeep a (daily) watch onlog-files (for example with logwatch) as much as the last logins in /var/log/lastlog
With the help of the command lastlog the content from /var/log/lastlog can be transferred into a readable format.

OKServices should not run as root-processes
deactivate services not needed (smalling the place for attacks): check out opened ports
netstat -lnptu
veralteter inetd noch nötig?
xinetd sicher konfigurieren
(gefährdete) Dienste absichern:
nur auf einer bestimmten IP lauschen, auf andere Ports wechseln
evtl. Port-knocking einsetzen (Beispiel SSH)
Bind mit chroot
sicheren FTP-Server einsetzen: vsftp oder pure-ftpd
unsichere Dienste nicht für kritische Aufgaben (Login) zulassen:
veraltete r-Dienste (rsh, rlogin, …)
nur notwendige Benutzerkonten einrichten
regelmäßig die Passwörter der Benutzer auf unsichere Passwörter überprüfen
leere Passwörter nicht erlauben
Kernel absichern
eigenen (minimalen) Kernel bauen
Integritätschecker, z.B. tripwire als cronjob laufen lassen. Die Signaturen sollten auf einem sicheren Drittsystem gelagert werden bzw. read-only gemountet sein (z. B. auf einer CD oder Diskette mit Schreibschutz)
Die Benutzung von Shadow ist meist schon aktiviert (shadowconfig on) Protokolle (Logfiles) sichern:
Loghost einrichten oder
Logfiles absichern: Mit Secure Logging von Core-Wisdom können Sie Logfiles auch in mySQL-Datenbanken ablegen oder per Fingerabdruck gegen Veränderung sichern.
msyslogd oder
logrotate → Log per mail
regelmäßig nach suid-Programme suchen:
automatisch mit Programmen:
sxid schickt eine tägliche Report über dazugekommene suid/sgid per mail zu
find / -perm -4000 2>/dev/null
allgemein suids:
find / -perm +6000
find / -perm -2000 2>/dev/null
volle Ausgabe mit allen Rechten bekommt man mit:
ls -lad --full-time ´find / -perm +6000´
Banner (Versionsnummern etc.) von Diensten abschalten
in /etc/motd die Kernelversion nicht anzeigen lassen, stattdessen Warnungen für Angreifer
SSH: Im Sourcecode
Logfiles studieren
Monitoring betreiben

SVGAlib programs are typically SUID-root in order to access all your Linux machine´s video hardware. This makes them very dangerous. If they crash, you typically need to reboot your machine to get a usable console back. Make sure any SVGA programs you are running are authentic and can at least be somewhat trusted. Even better, don´t run them at all.

OKGGI (Generic Graphics Interface project)
The Linux GGI project is trying to solve several of the problems with video interfaces on Linux. GGI will move a small piece of the video code into the Linux kernel, and then control access to the video system. This means GGI will be able to restore your console at any time to a known good state. They will also allow a secure attention key, so you can be sure that there is no Trojan horse login program running on your console.

OKDisable USB stick to detect (recommended for companies etc.)
Many times it happens that we want to restrict users from using USB stick in systems to protect and secure data from stealing. Create a file ´/etc/modprobe.d/no-usb´ and adding below line will not detect USB storage.

install usb-storage /bin/true

Disbale USB/firewire/thunderbolt-devices
echo ";install usb-storage /bin/true" >> /etc/modprobe.d/disable-usb-storage.conf
echo "blacklist firewire-core" >> /etc/modprobe.d/firewire.conf
echo ";blacklist thunderbolt" >> /etc/modprobe.d/thunderbolt.conf

Once done, users can not quickly copy sensitive data to USB devices or install malware/viruses or backdoor on your Linux based system.

Formulate any "welcome"-text after the login into the server on the system in /usr/lib/ to make unwanted users really think, if to proceed or if it would be better to log out or get away..

OKHow to Spoof a MAC Address (identifying hardware address of the ethernet card) permanently [...] A 48-bit MAC address (e.g., 08:4f:b5:05:56:a0) is a globally unique identifier associated with a physical network interface, which is assigned by a manufacturer of the corresponding network interface card. Higher 24 bits in a MAC address (also known as OUI or "Organizationally Unique Identifier") uniquely identify the organization which has issued the MAC address, so that there is no conflict among all existing MAC addresses.
While a MAC address is a manufacturer-assigned hardware address, it can actually be modified by a user. This practice is often called "MAC address spoofing." In this tutorial, I am going to show how to spoof the MAC address of a network interface on Linux.
Why Spoof a MAC Address?
There could be several technical reasons you may want to change a MAC address. Some ISPs authenticate a subscriber´s Internet connection via the MAC address of their home router. Suppose your router is just broken in such a scenario. While your ISP re-establishes your Internet access with a new router, you could temporarily restore the Internet access by changing the MAC address of your computer to that of the broken router.
Many DHCP servers lease IP addresses based on MAC addresses. Suppose for any reason you need to get a different IP address via DHCP than the current one you have. Then you could spoof your MAC address to get a new IP address via DHCP, instead of waiting for the current DHCP lease to expire who knows when.
Technical reasons aside, there are also legitimate privacy and security reasons why you wish to hide your real MAC address. Unlike your layer-3 IP address which can change depending on the networks you are connected to, your MAC address can uniquely identify you wherever you go. Call me a paranoid, but you know what this means to your privacy. There is also an exploit known as piggybacking, where a hacker snoops on your MAC address on a public WiFi network, and attempts to impersonate you using your MAC address while you are away.
[...] If you want to spoof your MAC address permanently across reboots, you can specify the spoofed MAC address in interface configuration files. For example, if you want to change the MAC address of eth0, do the following.

macchanger: Some things have to be done: "macchanger -r eth0" suggests a random MAC-address to add into /etc/rc.local (by "macchanger --mac new-MAC-address eth0"), same in /etc/sysconfig/network-scripts/ifcfg-eth0 and change the by this new obtained, local IP in LINFW3 (Dialog -> NONYESNO -> own IP), eventually restart the system.
On Fedora, CentOS or RHEL:

nano /etc/sysconfig/network-scripts/ifcfg-eth0


Alternatively, you can create a custom startup script in /etc/NetworkManager/dispatcher.d as follows, especially if you are using Network Manager. I assume that you already installed macchanger.

nano /etc/NetworkManager/dispatcher.d/000-changemac


case "$2" in
macchanger --mac=00:00:00:00:00:01 "$1"

... or macchanger -r "$1" Quelle:
This might depend on the hardware. "macchanger -r eth0" can be started at the end of a dialin-script like /usr/sbin/ifup or ifup-eth too for example. The same is possible by ifconfig.

If all this does not function, try same or similar command manually by terminal after the dialin.

Find out the actual set MAC- resp. MAC-Fake-Adresse by

macchanger -s eth0 or


OKAdjustments within /etc/sysctl/network-scripts/ifcfg-eth0

ONBOOT=no # automized dialin each boot
USERCTL=yes # user are allowed to configure the dialin and to dial in itself
IPV6INIT=no # perfer IPv4 with dynamic (changing) IP

OKResolver configuration file
File /etc/host.conf contains special information, how to configure the resolver library with a configuration keyword each line, followed by belonging configuration information.

order hosts,bind
multi on
reorder on
nospoof on
spoofalert on

Quelle: man host.conf

OKNetworkManager-Configuration by /etc/NetworkManager/NetworkManager.conf:




More (secure) configurations of he NetworkManager by NetworkManager.conf see

OKDeactivate NIS
... in order to avoid password-sharing. For this, LDAP is recommended.

OKSicheres finger
Es gibt viele finger-Daemon, als besonders sicher gilt ffingerd. Hier kann die Anzahl der zur selben Zeit laufenden Prozesse und die Anzahl der darauf zugreifenden Hosts limitiert und das verfügbare Interface eingegrenzt werden.

OKSichere Nutzung von PCs unter Ubuntu (und andere, Anm., Gooken)- für kleine Unternehmen und Selbstständige v2.0 (PDF, 189KB, Datei ist barrierefrei⁄barrierearm), BSI, 01.08.2018

EUD Security Guidance: Ubuntu 18.04 LTS

Created: 24 Jul 2018
Updated: 24 Jul 2018

OKpaxctld von (Aufruf paxctld in /etc/rc.local mit "paxctld -c /etc/paxctld.conf -d -p /var/run/paxctld"
/etc/paxctld.conf (allowed is s,r,p,m and E)
e,E -
m,M -
p,P -
r,R -
s,S -

# /usr/bin/gdb srpm

# steam
# /usr/lib32/ m
# /usr/lib64/ m

# node
# /usr/bin/node m
# /usr/bin/perf m

# firefox
# /usr/lib64/firefox/firefox m
# /usr/lib64/palemoon/palemoon m

# tor-browser
# /home/toruser/tor*/Browser/firefox m

# /usr/lib64/thunderbird/thunderbird m

# oxide
/usr/lib/x86_64-linux-gnu/oxide-qt/oxide-renderer m

# valgrind
/usr/bin/valgrind m

# python
/usr/bin/python E
/usr/bin/python2.6 E
/usr/bin/python2.7 E
/usr/bin/python3.2mu E

# java
# /usr/lib/jvm/java-6-sun- m
# /usr/lib/jvm/java-6-sun- m
# /usr/lib/jvm/java-6-openjdk/jre/bin/java m
# /usr/lib/jvm/java-6-openjdk/jre/bin/java m
# /usr/lib/jvm/java-8-openjdk/jre/bin/java m
# /usr/lib/jvm/oracle-jdk-bin-1.8/bin/java m
# /usr/lib/jvm/oracle-jdk-bin-1.8/jre/bin/java m
# /usr/lib/jvm/zulu-8-amd64/bin/java m

# openrc /lib/rc/bin/lsb2rcconf E

# tuned
# /usr/sbin/tuned m

# libreoffice
# Ubuntu doesn´t seem to carry this patch:
# libreoffice will still run fine without the below line,
# but it will report an RWX mprotect attempt
# /usr/lib/libreoffice/program/soffice.bin m

OKLock virtual consoles except tty7 by default
/etc/inittab, comment in:
# Run gettys in standard runlevels
#1:2345:respawn:/sbin/mingetty tty1
#2:2345:respawn:/sbin/mingetty tty2
#3:2345:respawn:/sbin/mingetty tty3
#4:2345:respawn:/sbin/mingetty tty4
#5:2345:respawn:/sbin/mingetty tty5
#6:2345:respawn:/sbin/mingetty tty6

Start as few root-processes as possible!

OKRemaining essential root-processes except those started by kernel (kthreadd):

X # xhost-access-control or run in usermode, see, and X with option "--nolisten tcp" (by default, check it out by pressing keys ESC + STRL and moving mouse over process X; configuration for X: /etc/X11/xorg.conf section "ServerLayout")
hald # makes acpid superfluosly
console-kit-daemon # needed only for the login, timeout possible
wpa-supplicant # part of NetworkManager
psad # or iptables: psd, port-scan-detection; start only with securing options like --no-rdns, --no-whois and --no-snort-sids

udevd # devices and interfaces
dhclient # or dhcpd etc.
spamd # alternatively try bogofilter for example always running in usermode

OKLost or forgotten password, no access onto the system?
The steps you need to take in order to recover from this depend on whether or not you have applied the suggested procedure for limiting access to lilo and your system´s BIOS.
If you have limited both, you need to disable the BIOS setting that only allows booting from the hard disk before proceeding. If you have also forgotten your BIOS password, you will have to reset your BIOS by opening the system and manually removing the BIOS battery.
Once you have enabled booting from a CD-ROM or diskette enable, try the following:

Boot-up from a rescue disk and start the kernel

Go to the virtual console (Alt+F2)

Mount the hard disk where your /root is

Edit (Debian 2.2 rescue disk comes with the editor ae, and Debian 3.0 comes with nano-tiny which is similar to vi) /etc/shadow and change the line:

root:asdfjl290341274075:XXXX:X:XXXX:X::: (X=any number)



This will remove the forgotten root password, contained in the first colon separated field after the user name. Save the file, reboot the system and login with root using an empty password. Remember to reset the password. This will work unless you have configured the system more tightly, i.e. if you have not allowed users to have null passwords or not allowed root to login from the console.

OKChecking file system integrity
Are you sure /bin/login on your hard drive is still the binary you installed there some months ago? What if it is a hacked version, which stores the entered password in a hidden file or mails it in clear-text version all over the Internet?
The only method to have some kind of protection is to check your files every hour/day/month (I prefer daily) by comparing the actual and the old md5sum of this file. Two files cannot have the same md5sum (the MD5 digest is 128 bits, so the chance that two different files will have the same md5sum is roughly one in 3.4e3803), so you´re on the safe site here, unless someone has also hacked the algorithm that creates md5sums on that machine. This is, well, extremely difficult and very unlikely. You really should consider this auditing of your binaries as very important, since it is an easy way to recognize changes at your binaries.
Common tools used for this are sxid, aide (Advanced Intrusion Detection Environment), tripwire, integrit and samhain. Installing debsums will also help you to check the file system integrity, by comparing the md5sums of every file against the md5sums used in the Debian package archive. But beware: those files can easily be changed by an attacker and not all packages provide md5sums listings for the binaries they provided. For more information please read Do periodic integrity checks, Section 10.2 and Taking a snapshot of the system, Section 4.19.
You might want to use locate to index the whole filesystem, if so, consider the implications of that. The Debian findutils package contains locate which runs as user nobody, and so it only indexes files which are visible to everybody. However, if you change its behaviour you will make all file locations visible to all users. If you want to index all the filesystem (not the bits that the user nobody can see) you can replace locate with the package slocate. slocate is labeled as a security enhanced version of GNU locate, but it actually provides additional file-locating functionality. When using slocate, the user only sees the actually accessible files and you can exclude any files or directories on the system. The slocate package runs its update process with higher privledges than locate, and indexes every file. Users are then able to quickly search for every file which they are able to see. slocate doesn´t let them see new files; it filters the output based on your UID.
You might want to use bsign or elfsign. elfsign provides an utility to add a digital signature to an ELF binary and a second utility to verify that signature. The current implementation uses PKI to sign the checksum of the binary. The benefits of doing this are that it enables one to determine if a binary has been modified and who created it. bsign uses GPG, elfsign uses PKI (X.509) certificates (OpenSSL).

Solution: encryption of the root-partition, see Full System Encryption (FSE)

OKLifetime hardware, conductor pathes: secured contacts on graphic cards, boards and platines
Sounds like it is our last advice (but of course it isn´t), not to forget to put some chalk into the computer tower inside. The trick is to keep contacts on mainboard including graphic-chip resp. graphic card and other electronic devices always rust-proof and save from moisture!

OKRemove online accounts of internet service provider
Phishing, profiling, spam, data handling, investigations by law, organized criminality, secret agencies, ad networks, large server farms, artificial intelligence, social bots, hacks, doxxing, honeypots, man-in-the-middle-attacks, ...: Before starting with the installation of "Universal Linux 2010" resp. before going to update programs and system, try to remove as much online-accounts as possible, that means as making sense for you: social media, Google, paypal, online banking, online shopping, ... This might become quit difficult: So read out belonging manuals and follow the instructions. For still existing accounts security settings should be made serious hard after the logins into the online portals.

OKAllround-protection through iptables-firewall Linfw3
Linfw3 can be downloaded during further below. With Linfw3 all hacker and all trojans can be blocked, if only the user like surfuser within a group like surfgroup are allowed the password protected start of processes going online into the net. Even superuser root resp. uid 0 belongs to all the user, who are not allowed going online, only processes started by (surfuser) of group (surfgroup). By this, programs can go online in a very easy way, after belonging ports once got opened in Linfw3. This is the main advantage. The next advantage: All passwords except the ones for the LUKS-encrypted root partition get irrelevant - even if others know them! The access rights for files should be set local for each user only onto <=700 ( what can be done automatically per "umask 077" within /etc/fstab, manually by chmod or graphically through the context menu). The last risk remains in the Chrooting, settings by msec like "Forbid root-access", "Forbid extern access for root/forbid chrooting" and/or Sandbox firejail prevent by locking the consoles of the user accounts (including root (uid 0, gid 0), but except surfuser). Even the shell-login of all system- and user-accounts except surfuser can be restricted to /sbin/nologin too - no login possible. This can be done with msec_gui or by a special UNIX/Linux-(bash-)command). ACL-access-control (request by getfacl, settings by setfacl) can restrict processes owned (started) by surfuser access on all kind of (exectuable) files too. Scripts over once opened (established) net-connections can be blocked by Firefox-Extensions ABP, noscript and RequestPolicyBlockedContinued resp. Firefox >= 64 with mechanisms against Cross-Site-Tracking/-Scripting and all other kind of tracking. Beneath this, the Port-Scan-Detektor psad or psd of iptables activated by Linfw3 does its best too! And do not forget FSE (Full System Encryption by LUKS/dm-crypt) thinking of the command mount and therefore also cryptsetup (LUKS) including such chroot... All in all the remaining risk is given only by the started root-processes from kernel from the house Linus Tovalds, although they get blocked by Linfw3 too as long as owned by root by the way already depicted. Especially one root-process envokes some distrust - X (the X-Server, including the graphic card driver), but X can be restricted by own ACl through the command xhost as described in some points from above. There it is described, howto start X with option "-nolisten tcp" and that X can also be started in normal usermode. To get total paranoid, MAC (control resp. restriction of process interaction) might interest too - but that really mustn´t.
This excurs specifies Linfw3, firejail, ACL-Access Control Lists, MAC, Intrusion Detection Systems (IDS, if needed), important Firefox-Extensions upon opened connections and further methods later on, past the section for updating.

SL-Banner Regardless from all Linux-distributions, one and the same Linux gets installed package by package, although this might not possible for each distribution as a fault of their specific architectures (library-structure and so on).

OKWe would prefer the most complete Linux by electing certain distributions getting mixed to call it slackware either by installing a brandnew distribution to mix it up after getting updated or by the backport concept we are going to describe here.
Linux resp. (backported) "Universal-Linux" can origin in mdv2010.1 for example. It is updated long-termed and consequently with Fedora Project (fc), especially CentOS 6 (el6) and CentOS 7 (el7) resp. Scientific Linux (sl6/el6, sl7/el7) and fc -> EPEL (el6, el7) and other el6/sl6 and el7/sl7, where each source package is listed directly under the binary one on It finally managed to stop leaving rubbish over rubbish of packages from all the outworn over outworn distribution behind. The speciality for the backport-concept is, that almost one and the same version with its own releases get patched over patched in many cases for the same version by new releases, what is marked in the rpm-package name behind the point at the end of the package name, until the intern code does its work stable and secure. So one and the same package-version of the same release got fixed resp. picked out and overworked and overworked until security and functionality (as amost the best sign for security) are given, leading to new releases to one and the same versions. Nevertheless the version might differ resp. change in some, quit seldom cases too.

OKSecure Programming HOWTO, David A. Wheeler, 2015-09-19
This book provides a set of design and implementation guidelines for writing secure programs. Such programs include application programs used as viewers of remote data, web applications (including CGI scripts), network servers, and setuid/setgid programs. Specific guidelines for C, C++, Java, Perl, PHP, Python, Tcl, and Ada95 are included. It especially covers Linux and Unix based systems, but much of its material applies to any system. For a current version of the book, see

Suse Doc: Deployment Guide - Backporting Source Code
SUSE uses backports extensively. The information in this section helps you understand, why it can be deceptive to compare version numbers in order to judge ...

Debian richtet neues Backports-Repositorium ein - Pro-Linux
Mit dem neuen Repositorium "lenny-backports-sloppy" stehen Debian-Anwendern künftig aktualisierte Programme ohne große Risiken und Mühen zur Verfügung.

This backporting is provided for CentOS for more than 10 years (CentOS 6: from year 2010 until year 2026), accompanied by CentOS 7 (until 2027).
Installed Linux can be completed to talk about this one and only Linux by installing packages from many other distributions too.
You can read more about CentOS and this fact in our section for Updates.
Alternatively you can order this complete mdv2010 already in an FSE-encrypted form (full system encryption by dracut and LUKS) preinstalled on SSD, where all updates past the update expiration time of mdv2010 including those from CentOS el7 and el6 are already installed. Now, just unpack the tarball of an actual Firefox (actual or actual ESR, extended security release from CentOS or Rosalabs) and Thunderbird (actual ESR (el6, el7)) into a directory like /usr/lib64/firefox-any-name and /usr/lib64/thunderbird-any-name and link the executable files /usr/bin/firefox by the command "ln -sf /usr/lib64/firefox-any-name/firefox-bin /usr/bin/firefox" to update firefox in future following the firefox-INFO-menu. We are going to describe the update of Firefox (and Konqueror) explicitly further below. At last you care for a more or less actual GNU C standard library (glibc(pclos)), for this purpose we tested mga6, ver. 2.22-29 form 17. June 2018. Of course all already installed glibc-packages can be upgraded to mga6 (2.22-29) or higher) or main glibc-package (mga6) with all other glibc-packages coming from el6.

OK We decided us for kernel 5.4.110 (pclos) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) on the base of the GNU C Standard Library glibc-2.31 (pclos), glibc-2.22 (mga6) out of:

glibc (el8, pclos, mga6), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8), libc6 (rosa2016.1, rosa2014.1), compat-glibc (el6), glib2.0-common (pclos, el6), glibc-i18ndata (pclos, mga6), glibc-headers (pclos, el6), glibc-static (el6), glibc-utils (pclos, mga6), glibc-profile (pclos, mga6), glibc-glibc_lsb (rosa2016.1, rosa2014.1), locales (pclos, mga6), glib2 (el6), prelink (mga6, mga7, mga5, pclos, rosa2016.1, rosa2014.1), lib64stdc++ (pclos, mga6) or (and this is our tested-well choice:) glibc complete mga6 or: glibc (pclos, mga6 main glibc, rest-rpm: el6), libstdc++ (mga6), libsigc++ (mga6)

In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.

additionally, but be careful, miroplayer (el6) and the MCC-printer-administration might not work anymore: lib64glib2 (rosa2014.1), lib64gio2 (rosa2014.1), lib64gobjet2 (rosa2014.1), lib64gmodule2 (rosa2014.1). If they do not, reinstall glib2 (el6) and glib2.0-common (el6).

You can get all such glibc-packages from and without any problems, but the new filesystem of glibc for mga3 since version 2.17 consists of new linked directories in directory root named /bin, /sbin, /lib and /lib64, so that all of their files have to be copied into equal named directories of /usr: /usr/bin, /usr/sbin, /usr/lib and /usr/lib64. This can cause programs like terminal "konsole" not working anymore, so that the cursor remains in the upper left corner of the started terminal, to think about other terminals like the recommended xterm and the very secure rated but no unicode supporting aterm and the next step to do like installing package (rpm) shadow-utils. Konsole is still functioning only, after devpts is mounted in the device-configuration-file /etc/fstab. This can be done by the following entry:

none /dev/pts devpts mode=620,gid=5

with gid for tty and in the user-administration of MCC set user to a member of group tty,wheel,lp. Now it is possible to install many packages from more actual distributions like not only mdv2011 and mdv2012, but also Mageia Cauldron 1 up to 4 and especially Fedora Project resp. CentOS 6.8 el6 (release: 2010, modificiaton release date (rpm) CentOS- resp. SL-release: 03.08.2015) and el7 (in the last two cases with update-guarantees until year 2026).Now software-packages are provided by and for CentOS (resp. el6, el7, Scientificlinux (sl6, el6), ALT Linux, Repoforge (el6.rf), CERT Forensics Tools, PUIAS Computational, KBS Extras Testing, P.N., Nux Dextop (el6.nux), Rpmforge (el6.rf), Epel (el6), Atomix, Russian Fedora (, NauLinux School (el6.nau), Nau Linux Extras, LinuxTECH und Ghettoforge (, Mandriva mdv2010, mdv2011, mdv2012, Mageia5 down to Mageia 1, Rosa2014.1, Rosa2012.1, newest Fedora, OpenSuSE and Tarballs and programs for any other OS to emulate from everywhere. With el6 and el6 you can follow the Gentoo-GLSA ( ) update security list. We list each package in our section for updates. This all can also be made for other distributions, annoying, if not. Folllowing our steps, this OpenSource-System full of device-driver can be made incomparible secure, while the iptables-firewall Linfw3 bewares the central meaning. For more details, please follow the details from our excurs as follows, especially in the section for updates. For this please notice, that one should not be forgotten: to make 1:1-backups during the installation process on at least one extern storage media, especially by command dd.

report from 21.10.2004, last update: 06.23.2017. If you can not see a menu on the left side, please click here.

Time for the system boot < 1 second

It was long ago, year 2010, my computer satisfied my needs, even in future. Soon you will agree. You can not make more secure what is secure, same by versatile and who really follows this report by an everlasting, 100% secure computer-system including a ultraslim 18W-WLED-Monitor (TÜV certified) for about 200€ power-consumption 20 up to 40W only, all for about 200 &euro. Many other models might interest too. On our linksites section for "News&Links" ( we even found out Rasperry Pi 3 and especally C.H.I.P., a 3-W-computer for 9&euro;, a model with much memory and as powerful as the smartphone. Further on we are going to present an independent from defragmentation and (included) virus-scanner and so on most secure Mandriva-Linux-computer-sytem from kiosks for only some Euro in year 2010, that is able to manage quit all one can imagine, because of its covering software seized in about more than 65 GB (15 DVD) quit for free. Not only the suspend-mode is working on our hardware, where the complete monitor gets "suspended", whenever you choose the resting mode resp. state (similar to the poweroff-state by hardware), Gooken of the computer tower blinks and Mandriva (2010) turns off all devices except RAM, in order to

"boot" the complete system in less than one second after pressing the powerbutton of your computer tower!

If this does not function, update acpid to at least 2.0.4 or el6. For these two suspend modes including hibernate of all in all four modes make yourself sure, that ACPI_2.0 is activated in the BIOS, that the SWAP-partition is sized by around 2 GB and that all USB-devices like usb-memory-stick are plugged out (umounted, umount and unplugged). Now the green LED of the computer-tower is blinking for mainboards like ITX-220 (details see data-sheed). Envoke the system again by pressing the power-buttom of the computer tower. Now a password request out of the OpenGL-screensaver (also used for the case of screen-locking) is made, but only if activated within power-management of systemsettings.

Here once again all energy saving modes (suspend modes) under "Universal Linux 2010" (backported system) in detail:
- blanked screen, readiness (passive) - dark blanked screen. Some power is already saved by this.
- locked screen - OpenGL-screensaver with user-password request - protection during all the (almost short kept) time, a user abandons the computer. Power is still consumpted, until power saving modes might get into effect.
- abandoned / suspended - The monitor is powered off (almost automatically after a some time set), but awakes again with the user activity like mouse-move, mouseclick or any keystroke. Saved power: 18 Watt monitor-power- consumption
- hibernation - the actual state gets saved into the SWAP-file, the computer seems to be "powered off completely" , while the BIOS blinks the green LED at the computer tower, but an awake resp. the backup of the state right before is possible by pressing the power-on/off-buttom of the computer-tower. After the awake, the user-password is requested to go on working with the computer in the state right before, if determined by the power-management of systemsettings; saved power: quit all 37 Watt.
- deep sleep - another kind of hibernation or similar to it, but the data is written onto the hard-drive resp. SSD. All internet connections (network manager) got closed after the awake in both last hibernation modes, so they have to build up again.

The following terminal-command
sudo rtcwake -m off -s 60
is well to test, if the hardware does support the "fast boot" (x86-hardware almost does, ARM-Rechner does it not always). Der Schalter "-m" bestimmt den ACPI-Modus. Mögliche Werte sind "standby", "mem", "disk" oder "off" (komplettes Ausschalten). Als zweiter Parameter ist hier "-s" ("seconds") mit einer nachfolgenden Zeitangabe in Sekunden angegeben. Der obige Testbefehl wird also das System herunterfahren und nach einer Minute neu starten (60 Sekunden). Obwohl mit Schalter "-t" ("time) auch exakte Zeitangaben möglich ist, empfehlen wir, den geplanten Neustart immer mit Parameter "-s" anzugeben. Es ist wenig Mühe, etwa zehn Stunden in Sekunden umzurechnen (10*3600=36 000).
Um Shutdown und Start zu automatisieren, kommt der Zeitplaner Cron ins Spiel: Nach dem Aufruf der Crontab-Editors mit
sudo crontab -e
schaltet folgender Eintrag
0 22 * * * /usr/sbin/rtcwake -m off -s 36000
den Rechner täglich um 22:00 Uhr ab und startet ihn nach 36 000 Sekunden (zehn Stunden) wieder - exakt um 8:00 Uhr.

And... much happened: incredible 38 Gigabyte Traffic with our websites last month April without making ads: Computer age without aging, no platform without fundamental IT security, so be welcome on the excurs for IT-security from Gooken on as a significant contribute to the successful interplay of informatics and society!

Now you can resign from things, that the world does not need! So everything is already authorized on DVD mdk2004 - except some special software like Nasa-moon-watch perhaps. After waiting quit the same long time, hardware fulfills important criteria too.

Starting Situation

Whoever posseses a "(mirolike) suneater" (a computer), one theme can interest: security. "Earlier so-called cybercriminals immobilized foreign calculators by computer-viruses, today the data thieves strip of whole bank accounts (by credit-card-betrayal, cracking of chips, debit entries, emails like scams, skumming, hacking and phishing");, wrote the press even after the millennium change. Eyes Since George Orwell we discuss the phenomenon of the Big Brother as someone trying to find out our habits, in order to achieve the aims for his few interests groups. Can´t enumerate all this: Spied offices and toilettes, cams in banks, in railway-stations and airports, right in front of petrol stations and bank automats: The eyes and ears of the big brother seem to be everywhere. Worlds get handicraft and abused (by censoring not fitting facts, opinions and views) .Trains were getting late, delrailed, while planes, cars and ships crashed or sank. Power supply systems had their blackouts, user konterminated by elements from platines and therefore got irrediated by the normal use of hardware, see postings form newsgroups cited and linked on our linkside. Significant preparations against thunder-storms were not made. Prices for power supply drifted. Votings were not encountered right. Opinions got suppressed and manipulated by positionings within search engines and legitimating rules, in some cases their listings took more into effect than prepunishment registers of criminal courts, unmanned airoplanes threatened with shooting us, corruption escalated.

Once, in year 2003, SuSE Linux 7.3 appears including four printed out manuals: one reference, one for the programs, one for networks, but still the market share for Linux except for server reached less than 10 percent. Linux has got the right intellectual touch, many people do not like. The handbooks interest a lot, but did not explain, how to create and manage a really secure computer system. Upon the base of a software surface covering distirbution like mdv-Linux from year 2010 we dare to say it managed us to do so by this excurs resp. report. This mdv also makes it possibles to emulate other popular operating systems on the platform of powersaving but ergonomic fast working hardware. Even diversified games for this distribution understand to convice us very much, many of them are running upon OpenGL and SDL. Nice to notice, and what is interesting most: They and all Software of this distribution do really, really run! See how risky other operating systems had been constituted, for not many people did believe us before it all happened with them:

Focus:de, February 2015: "Also unreal e-mails from betrayer and cyber-criminals are well known, it is a matter of a few seconds we click on such emails to make it happen. As soon as such email do open, we forbode this email not to be sent only to us. Dangerous viruses can take into effect (prevention: UNIX-Linux filesystems, spam-filter with a first virus-scanner like spamassassin and clamav prevent the propagation of viruses). The second next mistake is to open the atteachments and links too. Cyper-Criminals can rob millons of email-addresses by data-robbery. Inourdays plenty of time is spent online to be reachable so that we can get abused. The problem to protect the increasing amount of data becomes day by day more difficult Fingerprints are left in emails, by online-shopping (registrations, tracking-scripts), whats-app-news and more."

niue-muenzen Viruses, trojans, worms, bots: 40 percent of the computers are "zombies", Focus, 02.03.2014
The amout is alarming: 40 percent of all PC in Germany are infectedt and can be remoted by cybercriminals. Once set free, malware opens the backdoorr for more abuse. How to protect: The amount of infected computer increased last year up to 40 percent, confirmed the Anti-Botnet-Support-Center of the internet community Eco. More than 220.000 computer with old browser-versions have been scanned. This forwards to trojans and viruses. In many cases, the first varmint opens the door for more infecitons, describes the community. "Zombie-computers" could be remoted. Infected so colled "zombie-computers" could be remoted by cybercriminals. "Their systems are engaged as part of networks, that are abused by criminals for abuse like spam-transfer or denial-of-service-attacks, leading to die immense harms", described Markus Schaffrin, the ECO security expert. The result is alarming, said Eco. For more security, a well configured firewall and anti-virus-scanner remained essential. Focus explains, how you can find the best virus-scanner (we, Gooken, think it´s clamav. This open sourced scanner is always checked well, as he can be installed on all popular operating systems).

Linux does not work? How you can solve every driver-problem,, 04.07.2017
Linux runs on quit all PC and notebooks, but not each hardware periphery is recognized automatically. For new devices some problems are possible.
[...] Linux-distributions provide a wide hardware support and run on quit all PC. With SATA, ethernet, graphic-card and monitor as much as mouse and keyboard there are no problems at all awaiting. Those basic functions should be warranted each case.
Elder printer, scanner or tv-cards without driver for Windows 7, 8 or 10 can often be reused for Linux, but for very new or seldom devices sometimes there is no support pregiven. Before the installation tests for hardware-compatibility should be made.
Report in german language onle:

New nvidia-driver cause system-breakdowns,, 10.03.2016
Nvidia´s new graphic card driver 364.47 cause serious hard problems for some PC-user. Concered user can do the following: .

Even a supergau in Fukoshima took place! Even have a look onto the section for "News&Links" from our left menu! If we follow such reports, we remind of emergancies, catastrophes and incalculatable payments. Since computer-technique seems to be part in almost everything (Na/ST), it and the companies behind seem to be quit liable for all, in person also see our linkside....! One question seems to be central:

Do we reign computers, or do computer reign us?

Computing begins, where it ends

Green LED vs. red LED: "Yes, I think I´am OK vs. yes, I think I am (the) stupid idiot (while our own system signs: "..." with one very short blinking point more or less periodically after the other one in around two up to ten seconds, asking the user back for "any complaints?", reminding him for "more activity, please..." and saying "I tell you...(heartbeats)"), what shall not confound with the three LED at the top of the num-block the keyboard saying to the user "Hi!" and "bye" resp. "out of order" (kernel-panic). All or something, that of course is not essential anymore in the case of touch-screens, and that´s the naked truth. The own computer should be no disadvantage and not stand for riscs (red LED) without loosing his advantages and opportunites (green LED). Computer systems should not think about themselves, that they are stupid for all, by making themselves work with capacities reducing and control wresting self-checks for virus-scans, bot-processes, bugs (program-errors), processes of trojans and self-maintenances as the cause of their technical unjustifiance. This is almost self-signaled by the blinking orange or red LED of the computer-tower. A solution far from MS Windows is found since year 2004 resp. 2010: Gooken does present even more a (classical, quit everlasting) computer-system on lowest costs with quit all software almost in top-graphic running as secure and stable without much blinking of the red LED as computer can! In spite of red marked text and our linksite you become a witness of the eight wonder of the world named "the almost 100% security bewaring computer running on lowest cost, where there is quit no software of rubriques of all kind missing", even not of games and TOP-games! Please do not forget to read our linksites from the left menu section "News&Links" These linksites contribute to the right understanding of the work with the computer and, although we are going to provide the promised security by this excurs, many remaining threatenings from the outside are still awaiting! For security studies for MS Windows, please have a look upon News&Links too.

Very past installation phase, a system almost free from security-leaks, maintenance and administration will be provided. The only thing one has to do from time to time is, to install some actual updates.

MS Windows "Replacement": Windows-Emulation by virtualbox, VM, qemu, xen, mingw and wine (mdv2010), same for MAC-OSX by BasiliskII and Amiga by uae and so on

Through wine, winecfg and at last playonlinux of mdv2010 emulation of software running on MS Windows (98, XP, 7, ... ) including MSOffice and Internet Explorer 6 up to actually 8 is not the problem anymore (although in our opinion with the well-equipped mdv2010 we need much or anything of it...). More than 100 Top-Games: see our data sheed.

Frontend playonlinux presents software, that can be installed groupwise like accessories, development, education, games, graphics, internet, entertainment, office and others and offers the following software in detail beneath many other one to install:
MS Office, MS Word Viewer, Intenet Explorer, 6 up to (actually) 8, Google Picasa, WowApp, 7-Zip, Ultimateencoder, Amazon Kindle, Azuon, Cadstd Lite, PDU Spy, Photofiltre Studio X, Dreamweaver, Codeblocks, Flashplayer, Flash 8, Flash MX, Notepad++, Graph, Teach2000, Simultit, Rocket Reader, Huckel 95, Adobe Photoshop, Fireworks8, Microsoft Paint and more, more than hundred games see our data sheed!

playonlinux installs different Wine32 and Wine64 depending on the programms chosen.

It also offers installation of any setup.exe regardless from the download out of the internet, that means from harddrive or CD/DVD too.

Wine: How to use the Windows-Replacement in Linux,, 08.11.2015
Wine is a a clone of the Windows-API with many windows-programs to run under Linux too. Whenever functioning, it is in opposite to virtualization (virtualbox, Xen, qemu, ... ) the more direct way:, zahlreiche Top-Games aus playonlinux siehe unter Datenblatt.

PCWelt also presents security tipps for the user,, 03.08.2015 and 22.08.2015

Create your VPN (private internet tunnel)
Most public WLAN-net are - as already told by name - public. Hacker, equipped even with only a few programs, can "catch" the traffiic from the next area. Although it is useful to provide more security by calling websites per https in the address-line of a browser, it is not the best solution. A private network (VPN) should be used, in order to provide an encrypted data-tunnel between your device and the internet. There do exist versions of such programs for free like "Hide My Ass", "Hotspot Shield" and "Tunnel Bear"- a payed VPN belongs to the better alternatives (or use the real secure freeswan, strongswan, openvpn or openswan). The versions to pay like Hide My Ass cost 40 € the year for example and protectis not only your PCs but also your mobile devices.

libreswan (rpm): "Libreswan is a free implementation of IPsec & IKE for Linux. IPsec is the Internet Protocol Security and uses strong cryptography to provide both authentication and encryption services. These services allow you to build secure tunnels through untrusted networks. Everything passing through the untrusted net is encrypted by the ipsec gateway machine and decrypted by the gateway at the other end of the tunnel. The resulting tunnel is a virtual private network or VPN.
This package contains the daemons and userland tools for setting up Libreswan. To build KLIPS, see the kmod-libreswan.spec file. Libreswan also supports IKEv2 (RFC4309) and Secure Labeling. Libreswan is based on Openswan-2.6.38 which in turn is based on FreeS/WAN-2.04"

suneater_miro You can use a virtual private network-client for free like OpenVPN (or Freeswan, Anm., die Red.), in order to connect to a VPN-service, where you have an account, so that you can visit the internet through an encrypted access. This is a good reason for VPN, but not the only one. Maybe you do not want, that your internet provider surveys all your online-activities at home. Normally, if you go online, the provider can survey all of your activities. By VPN your internet service provider can only see the connection to the VPN. Besides from this VPN help you to bypass regional restrictions for websides like Amazon, Hulu, Netflix and BBC iPlayer. One example for a VPN-provider is the company IPredator from Schweden offering VPN-services for eight Dollar the month, keeping its connection to the famous torrent-tracking-site "The Pirate Bay". IPredator promises not store any traffic data of their user. You can also use PGP-encryption, if you contact IPredator-support per mail. One more popular VPN-provider is Private Internet Access, that promises not to protocol traffice data too. PIA costs 7 Dollar per month or 40 Dollar the whole year. PIA also helps to bypass reginal blocks in the USA, Canada, Great Britain and several countdries in continental europe. Although VPN protects your privacy, provider of websites like Facebook and Google can protocol your internet-activites. The use of your anonymous-private-mode of your browser is not caring for complete anonymity, but it keeps websites from reading out your cookies and the histroy of your browser, in order to get more to know about you. We are going to see, what we can do, comment by Gooken.

Howto configure and establish VPN-connections can be read here (in german language): .

The risk remains by the VPN-provider, as he knows the IP-address - so you have to convice him. This is the central disadvantage in opposite to Tor.

I2P is a decentral network connecting users, in order to make an point-to-point- (end to end-) encryption possible. It is still under development and provides an experimental additon to other methods for encryption or anonymization.

Tor is a connection-based low-latency anonymous communication system. This package provides the "tor" program, which serves as both a client and a relay node. Scripts will automatically create a "toruser" user and group, and set tor up to run as a daemon when the system is rebooted. Applications connect to the local Tor proxy using the SOCKS protocol. The local proxy chooses a path through a set of relays, in which each relay knows its predecessor and successor, but no others. Traffic flowing down the circuit is unwrapped by a symmetric key at each relay, which reveals the downstream relay. Warnings: Tor does no protocol cleaning. That means there is a danger that application protocols and associated programs can be induced to reveal information about the initiator. Tor depends on Privoxy and similar protocol cleaners to solve this problem. This is alpha code, and is even more likely than released code to have anonymity-spoiling bugs. The present network is very small -- this further reduces the strength of the anonymity provided. Tor is not presently suitable for high-stakes anonymity., about tor, 18.01.2016

Another example, why to resign from TOR is named by

"In November last year the anonymizing-network Tor started his first spend campaign. With overwhelming success. Exact 205.874 US-Dollar (around 190.262 Euro) from 5265 different givers are taken by the project Tor during six weeks. With this amount of money, the Tor project is going to reduce the dependencies from the US-government, financing Tor of about 80 up to 90 percent. As the US security agencies try to infiltrate the tor-network, it makes sense Tor making more independent from USA. Alleged the US-policei FBI spent one million dollar to an explorer of the Carnegie Mellon University, in order to help the FBI, to intrude into the anonymizing-network. The NSA is going to crack TOR too.",

Tor - no absolute security,, 30.08.2016
The anonymizing network like Tor left security leaks and access points: if many Tor-nodes gets observed, conclusions to the location as much as identity of a user can be drawn - and not only by institutes by law than NSA. There are some tor-based virusses and malware on their way - probably seldom, but really existant, .

OK Protect the router
The most important connection to the internet for the everyday life is your router at home for the use of online banking and so on, where sensible data is transferred. So do not use ever the same passwords, especially not that of the router. For most secure home connection always use WPA2-encryption and random generated login-passwords out of at least 30 characters, that should be kept within a password-manager. One more report about router is following below at the end of step 1 of this excurs.

OKSecurity updates: Critical leaks in root-security in SD-WAN-routern of Cisco, CHIP, 01.30.2021
Admins of Cisco-hard- and -Software should install the actual security patches. Otherwise attackers can attack the networks and execute malicious code, in oder to win the control over them.

OK Resign from Java (whenever possible)
Oracle´s Java does not belong to the required software for PC-user for our relief. Java is full of lacks in security. Security experts postulate from Oracle the complete overworking of Java. January 2013 they advised all PC-user to deactivate Java as possible, that means except the cases where Java is needed. One should wholehearted attempt to delete Java from system completely and at once! This can be done for MS Windows by the system control. Nevertheless, if a webside requires Java, the recommend of installing actual Java software is not missing.

OK Be careful with the password-recovery of mail accounts
Make hacker the life as hard as possible. Use different mail-accounts with different passwords kept in a password manager with hard to hack address names like "". Then hacker can not hack in an easy way and especially not all passwords at once.

OK Do not use only antivirus-software but also anti-malware-scanner
Virus scanner alone do not cover and remove all malware. It is a good idea to use malware-scanner too.

OK Screen the webcam Times were known, malware sended word-documents all over to email-contacts. This can get even more and more worse, if computers are suited with webcams and microphones. Put adhensive tapes, maybe with paper between, over the lense of the webcam. Whenever the webcam is needed by the user, he just has to deduct it.

Databasis (SQL)

OK Password-protection for MySQL after the login into MySQL by starting the daemon mysqld and entering "mysql -h -localhost -u username -p" in order to type into beloginging terminal:

grant usage on *.* to ´username´ identified by ´password-to-set´;

This method is advised as secure. Alternatively, but for some protocollings not such secure:

SET PASSWORD FOR ´username´ = PASSWORD(´password-to-set´);

The (own) computer should escape from the dark empire, here named by Miro´s "Suneater", but how?

Technical failures cause from human ones. "The way is the target", means their leader Konfuzius. Gooken itself is a meeting place for the scientific based IT-Security since computer might run secure. Its excursion is introducing the security-concept without the accumulation of any costs for consultation, training, conversion and licenses. It does so by realizing a secure and standard company management database and an everlasting as possible, standard IT-Security-concept for your computer-system through all of companies (fields, mandators, master, departments, standard-processes, editor, printouts, diagrams, security) intergrating Mycompanies company management in PHP-MySQL standard with intergratable PHP-FCKEditor for text-fields, also all ready for WEB-2.0-and 3.0-technology, the determination of security levels, computer-manual, (security-)commands, checklist and prototypes in order to resign from scans from hard-disks as much as from the amount of essential updates and upgrades to none (!) at all as much as possible, a deep look into the work resp. code of search-engines like Gooken, "News&Links" especially for the friends of MS Windows to carry on and more. In comparison with other projects, those of Gooken do not only consist of an everlasting character, but also find an end to the very beginning! the_wall_by_christo


All this direct help online is offered to beware stable positions right before law and opposite fellow men. It is is realized by adjustments and downloads consisting of SQL through company. management, pdf like the computer-manual with checklist and surface covering security-software for prevention, diagnosis and repair to solve the survival-request of computer-age with its central rating for computers completely concretisizing the book "Security in Information Technology" second edition by Prof. Dr. Kersten, Oldenbourg-Hochschulverlag from 1995. Therefore Gooken tries to contribute to the calm, troublefree enterprise! Quit all needs and security problems of the computer can be solved! Gooken offers

Introduction-"basics" to reach the highes IT-security-level" as possible, and a pdf containing also next step 2 to reach an enhanced IT-security-level, pdf system-(security-)commands and pdf checklist,

Anonymizing Proxyserver

surfing with the anonymizing base64-, rotate-13 URL- and SSL-encrypting Proxy and den base64, rotate13, nonssl Proxy for free (with restricted capacity for dowloads) programmed by Abdullah Arif. In both cases, for payment as much as for free, IP are not only exchanged, but also all kind of scripts including tracking-scripts beneath cookies get blocked, by choosing the option "remove scripts". This is important to avoid methods like Canvas Fingerprinting, details see our "online check". If there is no access for our free proxy, try

Webdesign- and programming in HTML, JavaScript, PHP, PHP-MySQL and MySQL

Search engines

suneater_miro Many search-engines tell us, that we can search secure, because they resign from storing the IP of their user. But since Edward Snowden june 2013 the fact is, that many search engines host on server within the USA, even those recommended by so called privacy protectors. Such search-engines have to refer to the Patriot Act and US-law and therefore have to serve the full access of US-authorities. So they can not offer protected privacy (even not, if they try. source: metager, year 2014).

German government and the EU-commission, Tagesschau, 21.05.2014: Mundt supports the demands of Bundeswirtschaftsminister Sigmar Gabriel postulating a hard reglementation and the annihilation of the Google concern. Paris also postulates for harder rules. The minister and his french administration colleague Arnaud Montebourg postulted in a letter to sharpen the suggested conditions for Google. Indeed the ministre from Berlin and Paris do not find the sympathy of the EU-competition commissioner Joaquin Almunia signed by scepsis against the annihilation of Google. But all with Google is by far not obivious. It can not be exclude the commission following all the compaints against Google in further processes by law, explained Almunia at the same time.

trustrank-100 Instead the platform independent Gooken is a self-learning search-engine with SSL-support. Gooken was developed for answering still unanswered questions in conjunction with IT-security past our excurs with downloads as much as for any purpose. You are searching completely anonymously, no click-registration by meta queried searchengines! Actually, no data are stored, neither your IP nor the user-agent-specification of your browser! Gooken resigns from tracking-scripts, participating in a web-advertisement net as much as from server-farms! You can open all websites anonymously.

Open Website Reputation: Gooken 100/100

downloads making Linux, what it proclaims to be: free from any intrusions, without any hacker and any trojan and therefore secure independent from most distribution and version: Linfw3 - the unbeatable fortress with protection against insecure browser-plugins - the comfortable end of all hacker and trojan (for single user, client, server) - besides Klean, Rename-Manager, the (LAN-supporting, platform-independent) PHP-MySQL-library Bibliomaster, platform-independent PHP-MySQL company-management-database Mycompanies and

a filterlist for the adblocker of the konqueror and other adblocker from the Easylist and during the time collected entries

Trials against small money for the attempt to improve your online-reputation within the internet on price at agreement

Fedora and CentOS (resp. ALT Linux) Updates, Linux for Security, and Top Seven by Susan Linton - Jan. 17, 2014, Comments (0)
Related Blog Posts
Microsoft Linux, Fedora 23 Beta a GO
Magical Mageia Review, Mint 17.3 Named Rosa
LinuxToday was another interesting day in the newfeeds, so much so I can܌t pick just one. There were several headlines focusing on Fedora or CentOS (resp. ALT Linux) today. has posted a top seven distro list for 2014 and Jack Wallen says CESG recommends Linux for security. Tha´´s not all either. First up today, Jack Wallen over at published an article discussing the results of the United Kingdom´s Communications-Electronics Security Group (CESG) operating system security tests. The tests consisted of 12 categories of security focus such as Disk Encryption, Authentication, and Platform Integrity and Sandboxing. As if there was any question, Linux proved the most secure of all the desktop and mobile systems tested. So, be sure to check out Wallen´s article for more detail and relevant links.

Operating Systems and covering well designed Software ready to start: after all those computer systems really one to work and game with (stable)!

mdv on USB-memory-stick: Opensource from (bootable) DVD, (bootable) USB (-memory-stick and memory-cards), from DVD onto SSD and HDD, so take the - as we think - one time chance to avoid in future not only computer-techique but also all operating systems. This can be performed by the shell-script mandriva-seed, unetbootin and other programs.:

mdv on DVD: from mdv-final for quit all devices - comuter-final, computing has right begun, where it ended: Opensource-2010-FINAL, secure, easy to handle, but most comfortable Linux fullfillingFSH 2.3 (Filesystem Hierarchy Standard) and ISO-standard-LSB 4.0, with 65 GB (15 DVD) + Fedore rpm + unlimited software from see our data-sheed (left menu) also recommended by, stable and secure from DVD onto your SSD (and/or harddrive) with lifetime installation-support, fc-SuSE-mdv: We also offer complex as much as the mdv2010 already updated, stable and secure Linux-distribution powerpack+final version mdv2010.0 from year 2010 (x86_64, 64-bit, optionally MAC based ("NSA-")Tomoyo-Linux by NTT DATA Corporation, Japan) with driver-comfortable kernel 2.6.31 (2.6-final resp. Knoppix 2010 like mdv-2010-Kernel 2.6.33-7-2, 2.6.39 (with allow-discards-support for FSE and FDE and patches up to actual date from see in our section for updates) or kernel-5.4.249 (pclos/PCLinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos), kernel-rsbac (hardened), RFC-rules bewaring methods for encryption, Firefox 3.6.17 you can update to an actual version like Firefox ESR, patched bash, LUKS/dm-crypt (cryptsetup) with most driver for desktop-computer, all postscript-based printer, PPD from manufacturer or diver-CD, alternatively see compatibilty-list and foomatic-, PPD- and cups-filter-driver and cupsddk (cups driver development kit) from these DVD or Linuxfoundation, and powerpack+ from year 2007 (i586, 32-bit), many graphic-card-drivers including IPG-driver intel, IGP-openchrome and IGP-unichrome3D, ati-, nvidia- and the universal VESA-standard-graphiccard-driver and other ones; each version out of one installation-DVD (1) for the binary-packages (rpm), one DVD for more mdv-2010-software-packages, most already known from mdk10.1 (2004) (2) including Debian Linux paket-manager (apt, dpkg, alien), debbuild (el6), debmirror (el6) more drivers and software listed in the data sheed below and one DVD for the belonging (updated) sourcecode-packages (3): 3 DVD Linux total, stable and secure mdv2010.0-final (x86_64) or mdv2007-powerpack+(i586), 3 × 4,4 GB comfortable, most stable and secure Linux total, free from shipping costs, for 20 € 24h-livetime-support from and sources or installation-DVD mdv2010.0 from for 8 € (2013), or

mdv from SSD: 65 GB mdv-software (15 DVD for mdv2010 out of mdv2010.0, updates, mdv2010.1, mdv2010.2 including all GLSA-updates except KDE and 2014 patched bash and openSSL 1.0.2, Firefox ESR ) extract see data sheed plus source-rpm from your sent-in at least 120GB sized SSD, FSE (FDE) of all partitions: root (around 65 GB) , (by keyfile from the root-partition automounted) home (around 25 GB), SWAP (around 3GB) and one more partition (around 30GB), 24h-livetime-support from or

After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".

mdv out of the internet: mdv2010-packages for free from:, and, 24h-livetime-support from and sources, plus quit all Linux-tarballs,

kernel-5.4.249 (PC-LinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6, version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos) resp. kernel-desktop-2.6.39 (mdv-2011-standard-kernel), kernel-server-2.6.39 (standard-kernel with patches up to now, year 2016, from see our section for updates), kernel-linus-2.6.31 (original kernel from Linus Tovalds), kernel-rsbac (hardened kernel), kernel-uml (protected usermode-kernel), xen-Kernel (XEN-virtual machines), lirc-kernel (infrared-driver), kernel-tmb (laptop), kqemu-kernel (kquemu-driver for the standard-kernel), vpnclient-kernel (vpnc-driver), fglrx-kernel (nvidia-driver), em8300-kernel, broadcom-wl-kernel, hfsmodem-kernel, madwifi-kernel (WLAN-driver), libafs-kernel, lzma-kernel, kernel-rt (SMP-onboard-Realttek/Atheros-LAN-BIOS-Chip with an activatable LAN-ROM), fusion-kernel (fusion-driver), kernel-netbook, kernel-openvz (SMP: multiprocessor-kernel), libafs-kernel, kernel-kerrighed (kerrighed-Support), obencbm-kernel, psb-kernel, actuator-kernel (actuator-driver), lzma-kernel (lzma-driver), m560x-kernel, broadcom-wl-kernel, nvidia-current-kernel, nvidia96xx-kernel, nvidia173-kernel, netfilter-rtsp-kernel, fortune-kernel, vhba-kernel (vhba-driver), em8300-kernel, r5u870-kernel, r5u870-kernel-laptop, squashfs-lzma-kernel, vboxadditions-kernel, virtualbox-kernel, actual Kernel-3.X.X (from or, ...

Notice, that in order to keep transparency and other aspects, the system boot does not in main follow the kernel with its many firmware, but the runlevel-init-scripts out of /etc/rc.runlevel0-6 out of tarball resp. rpm named initscripts and util-linux, almost steered by the script named init.

uml-kernel: User-Mode-Linux is a safe, secure way of running Linux versions and Linux processes. Run buggy software, experiment with new Linux kernels or distributions and poke around in the internals of Linux, all without risking your main Linux setup. User-Mode Linux gives you a virtual machine that may have more hardware and software virtual resources than your actual, physical computer. Disk storage for the virtual machine is entirely contained inside a single file on your physical machine. You can assign your virtual machine only the hardware access you want it to have. With properly limited access, nothing you do on the virtual machine can change or damage your real computer, or its software; you need an uml-kernel and an adequate root-fs-filesystem of about 1GB from; start: #./smb-kernel-name ubda=name-of-root_fs rw mem=256m; stop: #halt.

The Filesystem Hierarchy Standard (FHS) defines the directory structure and directory contents in Unix and Unix-like operating systems, maintained by the Linux Foundation. The current version is 2.3, announced on 29 January 2004.[1]

Only some Linux-distributions fullfill the Filesystem Hierarchy Standard and LSB standard. The Linux Standard Base (LSB) itself is a joint project by several Linux distributions under the organizational structure of the Linux Foundation to standardize the software system structure, including the filesystem hierarchy used in the GNU/Linux operating system. The LSB is based on the POSIX specification, the Single UNIX Specification, and several other open standards, but extends them in certain areas. According to the LSB, the goal of the LSB is to develop and promote a set of open standards that will increase compatibility among Linux distributions and enable software applications to run on any compliant system even in binary form. In addition, the LSB will help coordinate efforts to recruit software vendors to port and write products for Linux Operating Systems. The LSB is registered as an official ISO standard. Linux Standard Base aims to make binaries portable.

mdv2010.0, LSB-version by after typing in the command

lsb_release -a

LSB Version: lsb-4.0-64...
Distributor ID: MandrivaLinux
Description: Mandriva Linux 2010.2
Release: 2010.2
Codename: Adelie (Napoleon, annotation by the red.)


With mdv2010 software is not only covering, it also can be displayed advantageous and interesting:

Window-administration (die hält, was sie verspricht): always-in-foreground, always-in-background, remember, force of positioning and seizing function and so on, fringes, work surface assignment, window-heaver, menü for behaviors, screen-edges, window-effects, changes of windows, actions, activation, spezific settings, ...

Effects for the desktop: kiba-dock, 3D-window-galery, 3D-windows-stack, fade in and out for the system-login and -logout, cube, preview (of minimized windows), showcase with miniaturized images for opened windows, translucency, transparency, dimming, zoom, auto-reticle for centering, gliding, magnifier, shadow, wonderlamp (during the maximizment of minimized windows), wave, ... on the base of composite: spotlighter (justable desktop-spotlight), ardesia (desktop-sketching), curtain (curtain to move on the desktop from one side to the other)...; like plasmoids without markable loss of performance for active processes of mdv2010.


Key-strokes for KDE-desktop-effects: STRG+F9 or mouse pointer into upper left corner: preview with mini-pictures of opened windows, ALT+TAB: window change, STRG+ALT+Scrollrad: window-transparency, STRG+Arrows: cube-rotation of the workplaces

Plasmoids resp. plasma (applets) for the desktop and the controlbar (please notice, that in differnence to mdv2010-rpm-packages actually not all of them do function, so we have to wait, and that some of them get their information

Desktop right upper corner with halfmoon-plasmoid: toolbox out of add control-line, configuraiton of key shortcuts, adjustment for the active-directory-perspective, enlargement/declinement of fonts and symbols and unlocking of the (plasmoid-)miniprograms


to present out of the internet): Daisy (free program choice within rings or bars), Lancelot (desktop-menu), timezones and weather, birthday-reminder, calculator, widget-dashboard, system-monitoring, multiple rowed fast-loader (more-rowed compressing collector for icons with optional mini-pull-down-(up-)menu), unit-conversion, LCD-weather-station, weather forecast, wordclock with timezones, accu-check, image frame, comic, egg-clock, jumping ball, colorchoosing stick, calculator, moon phases, zoom, social desktop, ToDo-lists, remember the milk, system-monitor, guitar-tuner, image-preview, widget-dashboard, birthday-reminder, flickr, language-translator, sun-system, fishtank, DVB-signal-meter, newsticker, Mountoid, Bundesliga, Facebook, Flickr, bsun (wandernde Sonne), FrustML resp. (Mensch-Ärger-Dich-Nicht), Fancy Tasks (quickstarter similar to cairo-dock), Koala (similar to Tamagocchi), Astrocalendar, Plasmio (SMS), daisy (desktop-icons in a cricle), 15 stones,Tomatoid, egg-clock, spell verification, blackboard, WorkContext (nepomuk) and much more ...

Gadgets, Apps-Installer, ...

Gai, The General Applet Interface Library von oder : gai-pal, gai-album, gai-bgswitcher, gai-blobs, gai-clock, gai-mailcounter, gai-nebulus, gai-sun, gai-othello, gai-pager, gai-terrain, gai-visual-audio, gi8k, gwlan, vpn, bluecombo, FishTime, shermans-aquarium, TV in a box (tvib), usermon, ...

Cairo-Dock Cairo-Dock from or

OKkrunner: KDE Semantic desktop search per singe mouseclick on the base of gingko resp. akonadi and nepomuk and so on (all upon MySQL) by direct text-search like Cortana for MS Windows, ideal per mouseclick from the taskline or out of the KDE-start-menu, in order to search for names, database entries of all kind, textfiles, audios, images, videos, e-mail, news (Usenet), command execution, date and time, desktop-sessions (user exchange), kopete-contacts, contacts from kontact, webbrowser-history, konqueror-sessions, bookmarks (to find and envoke), units-converter, media playing, nepomuk (semantic search), locations (open files and addresses, ginkgo resp. semantic view during the saving of documents and other files), (opened and closed) windows and work areas (and their includes), plasma-desktop (interaction with the plasma-shell), TechBase (search within the KDE-TechBase), Wikipedia (searching in Wikipedia), Wikitravel (searching in Wikitravel), dictionary, recent documents, devices, kate-sessions, kget (links to download-manager kget), konsole-sessions, language translator, special chars (creates special chars) and so on: krunner (el6, ..., mdv) (or press ALT+F2)

rpm-description: "Ginkgo (KDE (mdv2010.2, mga, rosa) is a graphical front-end for managing data semantically. Ginkgo lets you create and explore links between your personal data such as e-mails, contacts, files, Web pages. It harnesses the Nepomuk framework."

Start ginkgo (KDE (mdv, mga)): Click upon a directory or file ->, context menu -> "Annotate" (context menu of KDE (mdv2010.2) -> Ginkgo: data record with different text fields
For KDE (el6, OpenSuSE-11.2 4.4.4, 4.4.11) ginkgo does not function, but clicking upon "semantic view" during the saving of documents and files is a good alternative, as it opens the same text-input-fields like ginkgo.

Now you might want to click onto the pliers symbol (settings) and modules, in order to deactivate Wikipedia, Wikitravel and the Google language translator.

[SOLVED by Gooken, 21.10.2016: drkonqi: One or more akonadi_resource do not work or cannot be found]
At first, lookout for akonadi (el6) installed (rpm -qi akonadi).
There are three rpm-packages full of akonadi_resources like ical, birthdays, kcal, knut, kolabproxy, localbookmarks, mbox, microblog, nntp, notes, vcard, vcarddir, nepomuktag, strigi, kabc, kcal and imap: akonadi-kde (mdv2010.2) and kdepim-runtime (el6) with kdepim-runtime-libs (el6).
Now enpack akonadi-kde (mdv2010.2) and copy the not working akonadi-resources, that can be found in rpm´s usr/bin/ to /usr/bin.
The other direction from kdepim-runtime (el6) to akonadi-kde (mdv2010.2) might be the correct one in some cases too.
If you want to start nepomuk-semantic-desktop-search (krunner):
1 eventually start the strigidaemon: /usr/bin/strigidaemon&
2 start desktopsearch-KDE-control-modul ( systemsettings or krunner:enter "nepomuk", in order to select it ) -> 3 select files to index / Dateiindizierung (Verzeichnisse auswählen) -> 4 activate both, nepomuk and strigi / Nepomuk-Semantik-Dienste und Strigi-Datei-Indexer zugleich aktivieren.
3 If the error message ( like "akonadi_ical_resource can not be executed successfully" ) still appears, start akonaditray and remove the belonging resource out of the resource-listing. Many resource can be removed, but maildis, maildir and mailtrans are always needed for kmail.

mdv-screenlets Desktop-Screenlets, image: GUI-Screenlet-administration with more than 100 screenlets additionaly downloadable ones and screenlet-daemon, screenlet in the fore- and background, scalable size, widget-attribute, more attributes like: growing flower ( to give some water from time to time), slideshow, pager, control (to add more screenlets), radio, meter, stocks, speech, sensors, ringssensors, ruler, convert, example of howto create a screenlet, copystack, clear weather von, ...

For more details see the data sheed from left menu.

"4.65 from 5 stars are the results of the average voting of a test from year 2014 for Mandriva based upon 204 meanings of customers from investigates regulary such votings from all sources out of the internet, that are carefully read out by hand and stochastic methods."

Metisse Mandriva Metisse takes 3D to a New Level,
This morning I´ve been watching videos of the Mandriva Metisse Linux that, in my opinion, puts some amazing 3D features at your fingertips. All of this XGL and 3D stuff is often shrugged off as merely being eye candy, but there are four video demonstrations that really show the usability that these features can really offer. I always thought that openSUSE Linux was always the furthest advanced version of Linux since they often implement the latest technology. However, Mandriva seems to be taking that crown away, and I have really considered switching to it as my primary version of Linux that I use. I like the look and feel of their operating system, and it is obvious that they are exploring new ways to make it the best it can be. Download Mandriva Metisse
Thanks for the tip Chris!

Convince yourself: The quit short and many years overworked errata-list of the comfortable mdv2010.0 can be directly obtained from Mandriva Errata 2010.0. Not all of the mentioned problems there have to be solved. With mdv2007 and mdv2010 the time has come to install many, if not all, packages of this distribution and maybe more tarballs at once on the same SSD resp. harddisc instead of, to go sure, a few ones only as generally recommended by institutes like BIS.

The address of Mandriva is not missing on mandriva´s homepage.

Mandriva S.A. (prev. Mandrake), Paris, St. Etienne, Frankreich, Tel...., email-addresses... ( founder: Gael Duval, 70 persons employed )

"Mandriva Linux the brainchild of Gael Duval, who wanted to focus on ease of use for new users. Duval became the co-founder of Mandrakesoft". Most packages origin in Fedora (but I knew a distribution of Fedora on DVD from the same year 2010 remaining quit scanty in comparison).

TrayAbb.: System tray (plasmoid) out of Krandr (screen resolution), kmix, Klipper, parcellite (additional configuration of klipper), NetworkManager, Stardict, USB-connections and encrypted partitions, kgpg, korganizer (calender and. dating planner with reminder function), printer-applet (printer jobs), nepomuk (semantic search), i - information for system messages by kwrited (actually not started, that means still without: knotes or tomboy, tvbrowser, ...), clock with date and calendar and the fast screenlock- and poweron-off-plasmoid; enfastened load of the tray after the deinstallation of interfering draksnapshot

"Mandriva Linux 2010 - perhaps The Best Linux Release All Year - Mandriva Linux 2010 was recently released and brings lots of nice improvements to an already nice system. Mandriva has a long and distinguished history in the Linux distribution arena. They began over a decade ago using Red Hat as their base and quickly became the preferred choice of the new Linux user. This release hopes to offer some amenities to appeal to users of newer trends in technology such as semantic desktop and netbook support. The Mandriva Linux installer sets the standard in user-friendly Linux installers. For those familiar with Mandriva this release brings some great improvements. The best two so far have been the increased stability and performance. Mandriva may have had a reputation for being a bit crashy in the past, but it appears those days are gone. In the several days since a fresh install only one application crash has occurred here, and this application is known to be unstable across distributions. This new-found stability comes with even better speed as well. Not only does Mandriva boot quicker (speedboot: kernel-parameter that can be set in /boot/grub/menu.lst or /etc/lilo.conf, speedboot=yes), but desktop performance has improved noticeably. Applications open and function faster, including the two heavyweights and Firefox. There is virtually no graphic artifacting and redraws are immediate. In addition, the 2010 graphics are just beautiful (source:

mdv2010 enpossibles to choose any design and style out of desktop, appearance and desktop-design-details from systemsettings and gnome-control-center - self mades as much as pregiven ones. A screen covering bootsplash can appear right up at the beginning when powered on using grub or escpecially grub2. Color-schemes can be imported like the one from the CD of the monitor-manufacturer and there are a lot of emojis. Addtionally plasmoids and many ressources-saving 3D-deskop-effects can enrich the desktop. With compiz, the deskop-workplaces are ordered cube or metisse, while the desktop-background can be any wallpaper, slide-show, global map, weather map, mandelbrot and so on as much an image on the fly. Especially OpenGL, fast direct-rendering, SDL and pulseaudio guarant the video- and audio-processing. Mandriva´s center of gravity lies together with the up to year 2060 actualizing Scientifclinux (sl6, el6) alias CentOS 6.7 (el6) and 6.7 (el7) in the extended hardware-support of our days as much as in future.

Nevertheless keep an actual mirrored 1:1-backup on another media during the installation! After all the installation, mdv2010 is running fine.
Mandriva for free: Mandriva Lx 2014 1,6GB free download. Notice, that we would like to keep mdv2010. Therefore we did not test this Mandriva-distribution!


Bootstrap of mdv2010 (creates) a basic Debian system: debootstrap is used to create a Debian base system from scratch without requiring the availability of alien, dpkg with debbuild and debmirror and/or apt. Notice, that in comparison with package manager of mdv2010, those off Debian 2010 like aptitude and synapitic do consist of errors, error-messages, breakdowns and bad overviews. It does this by downloading .deb files from a mirror site, and carefully unpacking them into a directory which can eventually be chrooted into (although we recommended to forbid this command). Debian is also supported by dpkg, apt, dselect, dash, ..., but with mdv2010 there seems to be not much Debian software missed, see The coloured out listings of Mageia Cauldron - and Mandriva-rpm to select is most satisfying on

Mandriva-One (mdv2010.2-final, i586) direct bootable from your USB-memory-stick, USB 2.0 and higher. Harddrive and SSD do remain not only unused, but can also be used for installation.

Linux on your USB-memory-stick:

with a free partition of at least 2 GB or unformatted for 64- and 32-Bit-CPU, mdv-fundament, optional installation onto your harddrive resp. SSD, kernel 2.6.33, grub (with a optional md5-encrypted password-protection for each bootable dracut resp. kernel and memory check by memtest) and lilo (boot-manager, especially for kernel < 2.6.39), Firefox 3.6.13 including the security-addons we recommend and privoxy, KDE 4.4.5, Dolphin 4.4.5, Konqueror 4.4.5, Kontact with kmail and bogofilter, clamav, Korganizer, OpenOffice, packet-manager drakrpm, rpm, gurpmi and urpmi, drakconf, gparted/parted (for changing the partition-size even on USB-stick), software for repair, mplayer (i chose video: X11 (XImage/Shm) and audio: sdl SDLib audio output), mplayer-codecs, mplayer-codecs-extra, mplayerplugin, amarok, image viewer, gimp, gcc, gcc-c++, kwrite, fsck, rkhunter and chkrootkit, xskat, pysol, gnuchess and eboard with crafty (chess), shell-shock resident bash, bash-completion, konsole, xterm, many repair-functions and so on, mdv-i586-rpm-packages OR

of at least 6 GB free partition or unformatted 5.5GB more mdv2010-software from installation-DVD out of all rubrics like gparted, system-monitors, system-tools and more programs for repair, wine and qemu (emulation), k3b and brasero, xscanimage, xsane, tesseract, gocr, cups, xine, totem, flphoto, gtkam, tvtime, zapping, dvbtune, jikes, kino, audacity, supertux, toppler, rocksndiamonds, ....

both free from porto the way back to you. Therefore you just have to put your USB-stick and 10€ protection-fee into an envelope to send it to our address, see impressum. Before your order this, please test your BIOS, if it supports the booting with USB-storage-media (BIOS-boot-sequence and/or keys to determine the boot-sequence like F8), username: user and root, password: mandrivaone.

Reader discussion on, Opensource disconnect vs. proprietary Ghostery
chromax 29. JUN 2015 @ 20:42
Where do you know, if OpenSource-code refers to the compiled one? Still missing security…
CrX 29. JUN 2015 @ 22:06
This question is of academic nature. Practitioner interest in the verficiation (indentically) of executable files and source code.
Therefore oneself compiles the Open-Source, if confident with it.
skoam 24. SEP 2015 @ 10:09

This is immer the right question and an answer does already exist: Open Source can be compiled, in order to compare the build with the receipt executbale binary code. If the hash-sums (md5sum/shasum/file sizes) do not agree (that means differing), the executable code deals with code not listed by its source.

Why UNIX/Linux? Because I know it is opensource and the kind of its (almost german) programmers behind (book from Prof. Kersten and books from some other authors).
It always must be caviar? Tell us about any more secure distribution ever!

Gentoo Linux 12.1 2012 Live-DVD (x86_64 for 32 and 64 bit- and AMD64 forr 64 Bit-CPU) from, burnt 3,3 GiB ISO. The so called meta-operating-system Gentoo is recommended by It is bootable from DVD as much as installabe onto SSD/HDD by open-source-packages to compile in. You can also order already DVD-burnt Gentoo 12.1 AMD64 from us free from postage-fees for 10 €


In comparison with IPhone 6: This smartphone can something like no other one, Focus, 01.11.2014
For 12 US-Dollar only, it rivals with Apple or Samsung - with uncommon features. "Smartphone-the drug is real like everywhere. This handy does not pig up your dates, does not irritate you during concerts, does not disturb you in the cinema and cleans up the passways. The solutiion is found. With this promise, a user names quot;The NoPhone Team" of the Crowdfunding-platform Kickstarter his project. It is a handy like no other one and can do like no smartphone can. Namely... nothing. Perfect for the pockets of the trousers: its wireless design made of flexible plastic feels cool and real. "Just pull it out and hold it." The most signifcatn features are named by the manufacturers: no accu, no nerved updates, splinter-free, water-proofed. This project has it success: the No-Phone-Team wanted to collect 5.000 Dollar but accounted 18.000. With this phone, that can neither phone nor write SMS nor surf in the internet, should cost twelf Dollar. There is another "NoPhone"-version with selfie-function. This model has a mirror in its display and is distributed in the words: "Show your friends your newest selfie, if they stand directly behind you."

We do not believe much in honesty of the other ones in all matters: In regard to SAR-values, cases like Macolini and the feel of the "slap in the face" (probably metastasis) on the side of the handy taken from our section for News&Links and other cases, where magnetic influence was felt by second persons in the circumcirlce of more than three meters from the handy phoning, Gooken dissuades from all kind of wireless (mobile) phones except emergencies!

Two cameras, several microphones, a GPS-modulel and oodles private user data: smartphones are the perfect supervisory devices
Security export leaks out: Your smartphone can spy out - although you powered off everytjhing
,, 08.02.2018
Über GPS und Co. können uns Smartphones permanent überwachen. Zum Glück kann man die Funktionen aber abschalten. Ein Forscher erklärt nun, wie man diese Sicherheitsmaßnahmen trotzdem aushebelt - und warum das kaum zu verhindern ist.
Zwei Kameras, mehrere Mikrofone, ein GPS-Modul und Unmengen private Daten der Nutzer: Smartphones sind die perfekten Überwachungsgeräte.

How to make mobile end-devices secure:

This links origins from our section News&Links#computer#smartphones, CHIP, 26.12.2016: Android-security is one thing to take care of with fitting apps. With such apps you do not need to fear NSA, data robbery, viruses and Co. anymore. CHIP presents the apps protecting your android-handy in a perfect way.

Data-backup for Smartphones: Here are the best solutions for data-backup for Android, iOS and Windows.

ifixit: It is easy to repair smartphones - FOCUS Online.

10.000 mAh powerful monster-akku from Smartphone-Manufacturer OUKITEL, Focus Online 02.07.2015
Four times more powerful than Galaxy S6: This Smartphone has a akku-load durability of one week

The days of empty smartphone-akkus might be gone. The manufaturer OUKITEL plans the first smartphone with an akku-load of one week ...

See reports from our linkside: They are manufactured by perverts (Apple; see a report from our linkside), tiny displays bother the eyes, they radiate and cause serious hard accidents, while one can not care enough for IT security even around them: smartphones. Gooken primarily cares for the Desktop-PC. Therefore, before the (similar) use of smartphones and handies it is strongly recommended to have a look upon our linkside by clicking onto links or here, but remark, that the use of so called-crypto-smartphones and crypto-mobil-phones can provide the needed protection up to the already endangering point of crypto- resp. supercomputers.

ZDNet / Mobile: Why Open-Source-Handies are the better smartphones, from Jack Wallen, 24. september 2009
Open Source provides the mobil market plenty of advantages beginning with the reducing of costs, more security up to many adoptable settings and a more productive development of applications. Do you agree, that Open-Source-devices are the better smartphones? Or does Apple, even Microsoft with Windows Mobile 7 win the fight for the market share? You can write a comment.

Hardware-Support: device-drivers, hardware-databasis

Kernel-5.4.110 (PCLinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos, mga6) resp. kernel 2.6.39 (mdv2010) with actual patches up to now from see our section for updates provides extended hardware support. But sometimes you just have to wait. So called "old" hardware must not be bad, the drivers are almost provided. Popular driver are already wtihin the kernel or kernel-modules. If missing in kernel-modules, belonging packages (rpm, deb) can be taken over into such modules. CPUs of mainboards consist of standard machine command sets that are already regarded in the package name like x86_64, i686, ia64, ppc, ppc64, ppc64le, aarch64, s390, s390x, arm, armhfp, sparc and so on, while the BIOS (BIOS-chip) on the mainboard should be socked, so that it can ordered, if malfunctioning. For the graphiccard you can use the UNIX/Linux-standard-driver fbdev or vesa. And the plugin of TFT-monitors is as simple as it can be in the case of postscript-printers by naming the belonging PPD-file out of (rpm) openprinting-packages, manufacturers or manufacturer-driver-CD. Start MCC, go to section "add a printer" and link to such PPD-file. Good to know, that USB is downward compatible. If the (W)LAN-chip does not work, a standard-PCIe- or PCI-ethernet-card helps out, until the packages or Tarballs for the driver are released in the internet, same for graphiccard and the onboard-soundchip.

Hardware for Linux,, 11.06.2019
Question: Is it guranteed, that hardware can be used for Linux for my PC, netbook and peripherals unrestrictedly?
Answer: To say it shortly: No. Here´s the long version of the answer: It takes a leap of faith. Hardware manufacturer seldom offer support for Linux. Basic components like graphik-, SATA- or Ethernet-chipset do not provide problems. But for printer, scanner, USB-TV- or WLAN-Stick, in many cases the driver CD does not include drivers for Linux. And even if, they just fit seldomely into the installed system. Notebooks are often restricted too. In some cases the brightness of the monitor screen can not be adjusted by key combinations or the power modes do not function like in Windows.
Therefore it only helps to get informed through the internet or by the salesman about notebooks and peripherals. There are salesman specialized for Linux like Tuxedo.

OK, 01.09.2015: "Find out compatible hardware before you order it
Whoever does not want to care for Linux-driver, one should check out the compability of the hardware before it is ordered. In most cases it is sufficient to start a search by searchengines with the name of the hardare device in combination with "Linux". One can also search in hardware-databasis. It es also useful to get informed by websites like with lists of hardware, that functions and tipps for their installation. Informationen about TV-cards and Sticks are also providid by Linux TV.
Of Linux should be installed on a notebook, or Ubuntu Wiki provide userful information. There are some manufacturer specialized for notebooks with preinstalled Linux like Tuxedo Computers, although such devices might be a little bit more expensive than Windows-notebooks."

After an upgrade of the glibc from mdv2010 to rosa2014.1 or mga3 a hugh repertoire of driver-packages and -tarballs are provided for even actual hardware.

Such companies do provide drivers for Linux:
Graphic cards: Intel, Nvidia, AMD
Printer and scanner: Epson, HP, Intel, Samsung, Brother and Canon

Hardware databasis and hardware support: for Ghostscript- and the PPD-files of postscript-printer

A detailed report about the hardware-support of drivers is provided by the following article:

If a driver is still missing, he can be buid (constructed) by any user. Several howtos can be found in the internet. For the printer packages lke cups-ddk are released for cups.

X11-server-troubleshooting (graphic card): see our section for "updates"

Printer-Troubleshooting: see our data sheet, section printer

Lacks in security

"The way is the target" are the well-known words from our precedent security-manager Konfuzius (...), that made us write here so much. Our main aim is to drag him out of the computer-scene for IT security and, who is awake enough, even forever! Together with the checklist it is proofed, that computer technology must not be nonsens, even if it is meant so and even if there is nothing really secure in this world, because of the race of the safeendangering with the secure and the certain kind of human behind this scene. Computer-history of nowadays with the typical constitution of software in intransparent „pirate-black“ binary machine-code, unlucid amounts of versions and distributions have shown some more (responsible) difficulties in satisfying claims for achieving real protection for the jack of all trade. Smartphones, notebooks and so on are only mentioned on our linkside. MG Chip: "The combination of raster-electron-, raster-Auger- and raster-plammet-microscope is cracking any kind of chips, however signed secure from manipulation". Serious hard cases of system-self-destructs can not be excluded. But resignation does not help. Nevertheless the aim in general of this excursion is to provide computer-systems with almost no lacks in security at all, and therefore (quit) without any scans from hard-disks by any scan-software. By following the excursion, your UNIX-computer will be freed from all (!) problems with the computer quit at once like (... ever seen so much red in your documents?)

suneater_miro proprietary software (opensource against liablity, more clearance of question about liablity), cost-traps (here: billing by handies and SMS, overread of additional parts of contracts and the conditions), blackmail for unlocking suddenly locked computers (see our report under links), abuse of copyrights and patents, cult for criminals, billions hard investment into spying software and techniques, missing, confusing or the fluctuating IT-security-concept, hard-disk-scans, defragmentation (unnecessary for many UNIX-file-systems), harddrives (instead of MC-SSD, cite: "A magentic harddrive is much to risky to intrust data. Although a lot of improvements took place, who has not heart or - in worst cases - made the experience of lost data. Therefore enough reasons are relevant." (source:, 13.05.2014)), the demand for a registry, registry-errors (UNIX-systems have no registry), degeneracy of the registry, suddenly or inpredictable lost files, explosion (of net-adapter), fire (net-adapter, porous PC-lautspeaker-cable, ...), your own ununderstandable blackened company (enlighted by our PHP-MySQL-company management Mycompanies), virtual blackmail by encrypting harddrives against ransom, shooting through unmanned flying objects as a technical response to stored data, kontermination (through chipsets, preventable by IGP and all-in-one-mainboards) and radiation, WLAN-radiation (see our linkside), CRT-radiation, CD-burner-radiation, netadapter-radiation, warning high SAR-value (handies), zero-emission (reflectable monitor emissionf or example by special PCMCIA-cards prevented by special editors like the zero emission pad), hardware-recognigtion (standarized driver, Kernel ver. greater 2.6.30), infiltration of social networks, handy-hunts through nets, inconsistency (vs. everlasting science), need for upgrades (new tarballs, zip-archives, functionality), updates, patches and bugfixes (vs. functionality), browser with outdated ssl3.0 (modern usage is provided by TLS), changeovers to different security software, missing changelogs, software-overload on harddisc (Opensource, independency-checks, other introduced methods), hacker (STATE-NEW lined iptables-blocking), large holes in firewalls (iptables block-rate), intrusion and valdalism, viruses (access-rights of UNIX-filesystems), freak (patch or prefer browsers like Firefox or Konqueor instead), abuse by virus scanner (standard opensource clamav), worms, rootkits (rkhunter) resp. botnets and trojans (no botnets and no trojans by correct usage of the OWNER-concept of iptables), manipulation by system-administrators upon software, files and configurations, ddos-attacks (almost on the base of bots and trojans), inactual alarms, false-alarms, forgotten or coded warnings and error-messages, ad- and spyware as much as Trackingscripts (firefox-addons), Driveby-Downloads, Canvas Fingerprinting (see under online check), forced acquisition because of truncated customer support for old operating systems (lifetime installation-support for all mdv/mdk over "pointed 1-" to "pointed 0" versions), product-manufacturing fault right on the surface of installation-CD/-DVD, aggressive marketing, need of updates and upgrades instead of functionality, unknown authors behind the named, burn-errors, problems with the BIOS and during the system-startup resp. boot, flush and reset, intransparent boot-processes, hard undestandable process-names (partial standarizement by UNIX/Linux), unmushed nets (failsafed mushed nets), video- and voice-recording, judge-microphons, observing satellite technique (see under links), spanish flies, night viewers, evaluation of such recordings (audit, protocolling files), text- and image-manipulation, manipulation of websits by webhoster, instability, system-breakdowns, broken USB-Sticks (secure umount and never before, fsck), usage of USB-hubs instead of prolonging USB-cables only, manipulated electric meter and cables (UPS: unbreakablel power supply), ineffective encryption through non scientific based cryptograhic methods from highschools, the search for important function-keys,iweak point human, insufficient set of (security-) system-commands, hangons and newstarts, anomal login attempts (LADS - login anomally detection system), inactual alarms and warnings, installation of malware by the opening of e-mail-attachements, unsigned installation from anywhere, installation by everyone, inportability, defect peripherals and hardware, restricted presentation of websides, keylogger and other malware, wiretrapping bedbugs (from USB-cards and other devices), hack of sensible data from USB-sticks through their microcontroller, crack of WLAN-encryption-keys, spy-nets, false email-sender-addresses (disabled browser-cache, header of email-source-text, digital signatures by public signature-keys, de-Mail), DoS-attacks, root-rights providing buffer-overflows (bugs),
aggressive marketing, missing warnings of the BIOS during overheatings of the CPU and from the inside, malfunction of USB-memory-sticks, intransparent boot-procedures without detailed information, long boot-times, weak-point-human (as a title of a contribution from a newsgroup), hard to understandable files and processes by name, side-manipulation and censorship by webhosters, need for additional software for example for ftp-transfer, use of harddiscs instead of durable and less power-consumpting (MLC-) Solid State Disks (SSD), installation of malicious software by opening attachments from e-mail, need for external graphic- and sound-cards (IGP, onboard integrated graphic- and sound-chips), software from unspecified sources (integrity checks, checksum), installation by any users instead by users with special access rights only, cloud computing (by avoiding storage onto foreign media, extern harddrive, USB-memory-stick), bad cable connection, listenings in to WLAN, cracks of WLAN encrypting keys, illegal access into WLAN-access-points, broadcasting bedbugs from USB-cards or other devices), lack of test reports and exchange of experiences (datasheed and test-forums), low duration of batteries and akkus, unknown details of OS-kernel bad or low encryption, encryption by elsewheres cryptographic methods instead of those checked resp. developed by high-schools, bad or low encrpted instant messaging (OTR, ...), manipulation of files like out of /etc/security/msec (FDE, FSE for full disc and full system encryption), file-encryption), vandalism "you can power off your computer now!", insecure passwords, inpredictable exhaust of passwords, amount of passwords (kwallet and relevation), visiblity of files storing passwords (steghide), bad adhere to deadlines, intimelineness, forget of the sourrounding (dating planner, countdown clocking, scheduler, task scheduler, ntp-daemon), burn error on CD/DVD (noflushd), inportability, unmashed nets (failsafe mashed), security endangering security software, missing software, incomplete set of (security-)system-commands, instabilty (breakdowns, blackouts and hang-ons, Alpha-Beta-software-developement stages, ...), release of authorizing root-rights, hacker, smashed wholes into firewalls, viruses, worms, rootkits (rkhunter) resp. trojans, dialer, hoax (watching out for the sender), false alarms, anomal attempts to login (Login Anomaly Detection System like LADS, delays after false-logins, commands to list logins and login-times, risks of WLAN (many single security operations have to be performed), security lacking file-systems, restricted file-systems (capacity of copied files, sytem dependencies, looking out for important function keys (BIOS, security modes...), inpredictibale deletion of files from anywhere, inpredictable remote maintenances, changing of fundamental configurations and settings, need for a registry, registry-errors, Entarten and Verwaisen der Registryeinträge, capacity restricting zombies, adware, popups, tracking scripts, ad- and spyware, online registrations for the release of software, spy-nets, intransparent connecitions over foreign net-nodes ( traceroute-command tcptraceroute see News&Links#Computer ), DoS-attacks, click-ping-tracing, cookies and Third-Party-cookies, supercookies, informing browser-chronicle, ABE, cross-side-scripting, operating time with akku/batteries, suspicious plugins, encryption cracking supercomputers, restricted presentation of websides, censorship depending of the true aims behind, spam (Spamassassin), spam-entries (Captcha), scam, missing option resp. missing command for even foreign notes through the net registrating traceroute (comannd tcptraceroute), read and writes from harddiscs by other parties, phishing, dialer, dissuasiveness, need of upgrades, errors and mistakes, missing software, registration, forwardings and therefore profiling by search-engines and depreciation, pass of hugh server-farms and advertising-networks, personalized advertisment, profiling, identifying ua-browser-answerback (see our online check) resp. IP, static new IP-adress-room ipv6, identity theft, pre-punishment-registration (cybermobbing), bad support, maintenance, bad sectors and file-systems with errors resp. the long time for their repair, capacity-resctriction of file-systems during file-transfer, bad encryption, online speed-blocker, editors (programming) without syntax-highlighting, missing log-files for protocolling, wait-states, needs for many drivers, more than hard to understand names for system-files, processes and errors, hard to understand names for processes and files, support for children and disabled (input-support and other programs like dasher, mouse-tweaks, speech, squid-guard, window-manager like LXDE and XFCE, ...), problems typing in by the ten-finger-system (missing keyboard), manufacturing faults on CD-surfaces (MS 98/SE), insufficient or bad tuned software-components and the risk of their dependencies, need for additional software like for ftp-transfer, old concept of magnetic hard-drives instead of long-durationed, specific natural durabilities for the storage, fast working and powersaving Sold Sate Drives (SSD), need of repair, (extern) graphic-, sound- and ethernet-cards (all-in-one boards, ideally with CPU, cooler and RAM) as a contribute to the enburdening of net-adapter to prevent open fire and explosions, 1000-Watt-PC, 65-Watt-CPU, techical reconstruction of direct debit mandates, missing delivery of online-ordered goods, especially from foreign countries and in cases of a too low amount in controversy, different device-interfaces (well known solved by downward-compatible USB), the disperse resp. page of the security-concept, waste of ressources, waste disposal problems, intern self-destructs, write-offs, science pocketing software-companies, costs for acquistion, licences, training, additional costs, difficulties or bad handlings, ...

... "in West Nix Niue (not new)" ...

with alternatives from our data sheed now all at low cost on the ground of power-consumption like energy saving lamps!

Data Protection
Windows 10: Deactivated funtions do send data to Microsoft

Other person do in the best case thinkable even not know, if you possess a computer at all, neither by IP nor DNS nor they know about your installed operating system resp. operating systems, installed software and files!

Although only human failures can cause errors during the installaton of mdv2010, some errors can happen. There is an amount of error-messages of mdv2010, that do not help troubleshooting, some are missing. Therefore we recommend a second SSD for the backup of every important installation-state of the first one. Then as many packages can be installed on the SSD as the user likes and ever needs without lacking in system-security, if you are installing operating-systems like mdv2010 with packages totally sized over 65 GB!

Survey of the internet node: DE-CIX sues BND, Tagesschau, 22.04.2015
The BND is taken into response before law for his surveys of the net-node DE-CIX in Frankfurt at Main. The holde of the node is going to sue. Criticizer do also sue the government for making tricks. Arond thre terabit data per second are passed and overworked, an amount of 600 CD-Rom. To the customers count all big internet companies like the Deutsche Telekom, Vodafone and Verizon, more details see Links, section "NSA, GHCQ & Co.".

Prism.break is right to recommend both alternatives (addition from 07.09.2013): Tagesschau reports about weak-points in many security software. The industry for software would have been built-in backdoors in their programs. It were possible to get information right before a user encrypts them and to send them over the internet. Super-computer were constructed to crack encrypted codes. NSA-program "Bullrun" belonged to the most kept secrets. The british agency GCHQ were very successfull in cracking code. "With proprietary software, you need to have 100% trust in the vendor because there´s nothing except for their morality in the way of them leaking your personal information. Even if you can vouch for their integrity, proprietary software invariably has more uncaught security bugs and exploits because there are fewer eyes examining the source code.", 2014: "Apple, Google and Microsoft are probable part of PRISM. You can not trust their proprietary operating systems in the matter of keeping sensible data safe from NSA.

Two alternatives do remain: GNU/Linux and BSD.

GNU/Linux has a much hugh community than BSD in order to help us for the change. It is recommended to search for a proper GNU/Linux-distribution fulfilling the requirerments.", 19.10.2015: "BitBox BitBox is a browser-in-the-box - a virtual environment, in order to secure the internet to make it more comfortable during the surfing. This virtual machine with a separated webbrowser protects in front of dangers, for example the rebuild resp. modified browser Dragon from the antivirus expert Comodo. His appearence reminds of Google Chrome, but Dragon is constituted to be more stable and thanks the privacy mode this browser is able to stop serious hard cookies. The inspection of SSL-certificates is more precise. Whoever wants to keep his browser save before the rest of the PC, likes to prefer BitBox - a browser-in-the-box. The developers of BitBox, the Bundesamt for Information Security (BSI), has put their browser into a fitting virtual Linux-environment. Linux has got some advantages in comparison to Windows - there are only a few "varmints", known for this operating system offered for free. So you use a virtual Ubuntu for a surf-system resp. for online-banking. A virus scanner is not required anymore. Tip: Alternatively use Wubi.exe, in order to install Ubuntu beneath Windows. This small file installs Ubuntu beneath Windows on the harddrive. When the system starts, the system is chosen. In this case, a virtual box is not needed anymore."

On Tuesday, March 3, 2015, researchers announced a new SSL/TLS vulnerability called the FREAK attack. It allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data. This site is dedicated to tracking the impact of the attack and helping users test whether they´´re vulnerable. In addition to browsers, many mobile apps, embedded systems and other software products also use TLS. These are also potentially vulnerable if they rely on unpatched libraries or offer RSA_EXPORT cipher suites. Vulnerable Browsers are Internet Explorer,. Chrome on Mac OS, Chrome on Android, Safari on Mac OS, Safari on iOS, Stock Android Browser, Blackberry Browser and, Opera on Mac OS. Firefox (Windows, MAX, Linux) and Konqueror (Linux) are not affected, see for more details.

Tagesschau, 07.31.2014: Actually scientific experts found out, that sensible data can be read out through microcontrollers (processors) from USB-sticks, see the report from our linkside under the point links! Therefore a new USB-standard is devoloped. By this, all data of computers can be read out, even passwords and email-contents as much as devices be steered like webcams. The operating sytem does not notice all of this, as it believes in key-strokes and not software attacks. "We recommend MC-based SSD instead of magnetic harddrives, "A magentic harddrive is much to risky to intrust data. Although a lot of improvements took place, who has not heart or - in worst cases - made the experience of lost data. Therefore enough reasons are relevant" (source:, 13.05.2014)) (similar to magnetic hard-drives, in order to keep the very fast access-times of a SSD, at least 4 GB memory should be kept free, comment, the Red.)

Legend end: Microsoft ends up with Internet Explorer, Focus, 18.03.2015
New browser past 20 years
After two decades a legend of the internet died: Microsoft actually develops a new browser, in order to exchange the Internet Explorer. For the next time, his name is "Spartan" - and he shall have nothing to do with his precedor.

Tagesschau, 28.04.2014: Vulnerabilities of the microsoft-browser
USA dissuade from Internet Explorer
In Microsofts Internet Explorer, market share more than 50% (2012, studie web-analyzators from Net Applications), vulnerabilities past the date for support fof XP (08.04.2014) were found, that do still exist. The US-government advises to use other browsers for the next time. There would be so much difficutlies in the Explorer-version six to eleven, that hacker can cause enormous harm, warned the ministry of home country protection. Problems are known since the weekend. Microsoft told, to do something against them. The vulnerabiltity would cause in wrong programmed memory-accesses. Prepared websites, that user of the internet-explorer call, could provide access for attackers to the computer, in order to execute mailicous code and take control upon the computer. The vulnerabilty already is effectively in use. It is the first serious one, since the support for Windows XP ended. Therefore it could still exist for PCs with the 13 years old operationg system regardless from Microsoft having solved the problem.

In News&Links we describe, howto make an Internet Browser of MS Windows upon the base of a Debian-sandbox secure, downloadable for free.

Internet-Gang robbs one billion dollar from banks, Focus, 15.02.2015
A bank robbery in the internet-century were made in that way: A Gang broke into in computer-systems of credit institutes and manipulated even account balances. They would have get any amounts of money from cash automates they liked.

Focus 2015: Antivirus-scanner promise allround-protection for the computer and to make the surfing online more secure. But in the half of all cases, they can not defend cyber-attacks. 11/2013: Appelbaum from Wikileaks sees opportunities for effective encryption. Therefore free and open source were needed. Not all encryption were the same, not all companies have been confidential or can be trusted.

Tagessschau, 11/2013: Wikileaks sees opportunities for functioning encryption. One needs free and open sourced software. Not each encryption were secure, not all companies were trustable. Wikileaks hops for concete methods against. For expample, if an attorney were proclaiming trust on telephone, although he did not use an encrypted telephone, one should call careless.

Tagesschau, 10.03.2014, cite Snowden: "If you encrypt your hardware and connections within nets it is much more difficult to collect your data by mass-wise-controlling software. Of course, such data can be cracked resp. hacked for special surveillance, but remain more secure. The best proof would have been delivered by his encrypted kept own documents sent per email." ( two encryption can be made for e-mail-transfers: one of the text-includes of e-mails by pgp-gpg, one by pop3s and smtps (TLS) for the belonging connection to the pop3- and smtp-server).

Router-Sicherheitstest 2020: AVM, Asus & Co. im Vergleich
,, 16.6.2020
Welchen Anteil haben verbreitete WLAN-Router am Schutz des heimischen Netzwerks und seiner Nutzer? PC Magazin und das Sicherheitslabor AV-Comparatives sind dieser Frage in einem umfangreichen Test nachgegangen.

OKViele WLAN-Router von Sicherheitslücke bedroht: Nutzer sollten bestimmte Funktion besser abschalten, CHIP, 28.05.2020
IT-Spezialisten haben eine schwerwiegende Router-Sicherheitslücke entdeckt, die offenbar eine ganze Reihe von Netgear-Geräten betrofft. Über die Lücke können sich Angreifer unbemerkt Kontrolle über die Router verschaffen und dem Nutzer so manipulierte Updates unterjubeln. Wie Sie sich davor schützen können, lesen Sie hier. Worauf es beim Kauf eines neuen Routers ankommt, erklären wir Ihnen im Video.
Die Sicherheitsforscher des IoT-Labs der FH Oberösterreich sind auf eine eklatante Sicherheitslücke beim Netgear-Router Nighthawk R7000 gestoßen; offenbar sind auch viele weitere Modelle gefährdet. Das Problem: Der Router bezieht Firmware-Updates zwar verschlüsselt - dabei wird von den Geräten offenbar jedoch nicht das jeweilige Serverzertifikat geprüft. Dadurch ist es Angreifern grundsätzlich möglich, manipulierte Updates der Firmware auf dem Router zu installieren. So können sich die Cyber-Kriminellen potentiell Kontrolle über die Router der Nutzer verschaffen.
Sind einzelne Dateien beziehungsweise der Update-Server selbst gerade nicht verfügbar, kann es sogar dazu kommen, dass die Router bei der Installation gänzlich unverschlüsselte Protokolle nutzen, um die Updates zu installieren, was Angreifer ihre Attacken noch leichter durchführen lässt. Hinzu kommt, dass digitale Signaturen vor dem Update-Prozess nicht überprüft werden. Das führt dazu, dass die Router auch manipulierte Updates installieren, ohne dass dies vom Gerät erkannt wird. Sowohl der automatische Update-Prozess als auch das Update via Assistent im Web Interface sind offenbar von der Schwachstelle betroffen.
Eine offizielle Lösung seitens des Herstellers gibt es bisher nicht: Wie die Forscher der FH Oberösterreich schreiben, habe sich Netgear seit Ende Januar nicht mehr zu dem Problem geäußert, geschweige denn einen Work-Around via Update ausgerollt.

OKRouter-Sicherheit: Virenforscher warnt vor Angriffen über den Browser, Spiegel Online, 26.05.2015
Über manipulierte Websites lässt sich die Konfiguration diverser Router ändern, warnt ein Virenforscher. Weil die Geräte fortan Anfragen auf gefälschte Internetangebote umleiten, haben Kriminelle die Chance, Passwörter mitzuschneiden. Einmal falsch geklickt, schon macht der Router Ärger: Eine raffinierte neue Attacke nutzt die Schwachstellen gängiger Modelle aus, Unbekannte stellen dafür mit Schadsoftware verseuchte Webseiten ins Netz. Der unter dem Pseudonym Kafeine bekannte Sicherheitsexperte beschreibt auf seinem Blog das Problem, das mindestens 40 Modelle bekannter Hersteller gefährdet, darunter Geräte von Asus, Belkin, D-Link, Linksys, Netgear und Zyxel. Fritzbox-Router tauchen nicht auf der Liste auf. Die Angriffe, die Kafeine beobachtet hat, verlaufen nach folgendem Muster: Nutzer von Googles Chrome-Browser werden zu einem Server umgeleitet, der Schadcode enthält. Dieser versucht, das Router-Modell des Nutzers zu bestimmen, um dann die DNS-Einstellungen des Geräts zu ändern. Das Domain Name System, kurz DNS, wird oft als Adressbuch des Internet bezeichnet, denn es funktioniert ganz ähnlich: Gibt der Nutzer im Browser eine bestimmte Web-Adresse ein, geht die Anfrage an den Router, der dann mithilfe eines DNS-Servers die passende IP-Adresse nachschlägt. Gelingt es einem Angreifer, sich mithilfe eines manipulierten Adressbuchs in diese Kette zu schalten, kann er dem Router andere IP-Adressen unterjubeln und den Nutzer so auf gefälschte Websites lotsen. Kriminelle könnten etwa die Startseite einer Bank nachahmen, um die Log-in-Daten abzugreifen, die auf der gefälschten Seite eingetippt werden.Fast eine Millionen Zugriffe an einem Tag: Unbekannten Angreifern ist kürzlich offenbar eine solche Umleitung von Seitenaufrufen gelungen - und das massenhaft: Ein von Kafeine beobachteter DNS-Server konnte in diesem Monat bisher täglich rund 250.000 Zugriffe verzeichnen. An einem Tag - dem 9. Mai - waren es sogar fast eine Million Zugriffe, schreibt der Virenforscher. Die Angreifer gehen clever vor: Als sekundären DNS-Server nutzen sie Googles öffentlichen DNS-Dienst, was bedeutet, dass die Betroffenen auch dann Seiten erreichen, wenn der Server der Angreifer einmal den Dienst verweigert. Bemerkenswert ist, dass offenbar nicht nur Router gefährdet sind, deren Fernwartungsfunktion aktiviert ist. Der beschriebene Angriff erfolgt Kafeine zufolge durch eine sogenannte Cross-Site-Request-Forgery (CSRF), mit der ein Browser gezwungen werden kann, Aktionen auf fremden Webseiten auszuführen. Ziel des Angriffs ist die Administrations-Oberfläche des Routers. Auch wenn sie von der Fernwartung abgekoppelt und eigentlich nur im lokalen Netzwerk verfügbar ist, lässt sie sich attackieren, da Router im Gegensatz zu Internetseiten oft nicht gegen CSRF-Attacken geschützt sind, schreibt "Computerworld".

Wie kann man sich schützen?

Die von Kafeine veröffentlichte Liste betroffener Geräte ist vermutlich nicht vollständig. Nutzer sollten daher - unabhängig davon, ob ihr Router zu den genannten gehört - prüfen, ob die Firmware Ihres Routers auf dem neuesten Stand ist und sie gegebenenfalls aktualisieren. Die Cyberkriminellen machen sich mit diesem Angriff nämlich vor allem die Bequemlichkeit der User zunutze: Einen Router konfigurieren viele Nutzer nur einmal, danach kümmern sie sich nicht mehr darum. Wie wichtig regelmäßige Firmware-Updates gerade für diese Schnittstelle ins Internet sind, hat erst vor einigen Tagen die NetUSB-Lücke gezeigt.

OKPasswörter von 500.000 WLAN-Routern geleakt: Das sollten Nutzer jetzt unbedingt beachten, CHIP, 21.01.2020
FritzBox Firmware Update: So einfach geht die Aktualisierung
Hacker nutzen WLAN-Router und Server, um Botnets aufzubauen. Nun wurden die IP-Adressen und Passwörter von über einer halben Million Geräten frei zugänglich im Netz veröffentlicht. Doch es gibt Maßnahmen, die jeder Nutzer jetzt ergreifen kann. Zum Beispiel ein Update. Wie Sie Ihre Fritzbox am besten updaten, erklären wir Ihnen im Video.

OKRouter updaten: Bundesamt warnt vor Sicherheitslücken,, 07.01.2020
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt Besitzer von D-Link-Routern vor einer Schwachstelle.
Das Bundesamt für Sicherheit in der Informationstechnik (BSI) warnt aktuell die Bürger mit zwei technischen Sicherheitshinweisen der Risikostufe 3 und Risikostufe 4 vor Schwachstellen in WLAN-Routern des Herstellers D-Link. Die erste Schwachstelle ermögliche die Offenlegung von Informationen. Die zweite Lücke ermögliche das Ausführen von beliebigem Programmcode.

Typische Probleme am Router lösen,, 10.09.2019
Wenn selbst bei schnellem DSL Streams stocken oder Internettelefonate abbrechen, helfen die richtigen Einstellungen am Router.,3449919

Kein Zugriff auf So klappt das Router-Login,, 18.03.2019
Trotz Eingabe der IP-Adresse oder im Browser klappt das Router-Login nicht? Wir bringen Sie in 7 Schritten ins Router-Menü.

OK Browse: Therefore always try to turn http:// -> https:// (ssl) in the address-line of your browser manually, before the URL of the webside is entered! Favorites should contain only such URL too. Notice, that a ssl-certificate of the webserver resp. webhoster is not present in all cases!

JonDoBrowser: Anonymous Firefox-replacement, still beta, CHIP, 14.09.2012
The JonDos GmbH (University Leipzig) accused Firefox for having built-in functions, that are harmful for data protection. Therefore their developers released the (together with Jondo) anonymizing JonDoBrowser Beta for free,

Jondofox - Firefox with condom
Download Jondofox:
We, Gooken, introduce a list of security browser on News&Links#Alternatives#The-Green-LED#BrowserCharts For installing Jondobrowser, set the path to the firefox-profile in the installation script of Jondofox manually to /home/surfuser/.mozilla/firefox. The inegration follows right past the start of firefox. Never install addons not basing on Open Source. Jondobrowser´s integration of Add-ons like https-everywhere should, as described, also be seen critically.

Freak: "Freak"-Sicherheitslücke: Auch Windows betroffen, 06.03.2015,
Mit einem sogenannten "Freak"-Angriff wird es Dritten möglich, eigentlich geschützten Datenverkehr zu entschlüsseln und womöglich persönliche Daten mitzulesen. Diese Betriebssysteme und Browser sind betroffen.
Am vergangenen Dienstag wurden Informationen über die sogenannte "Freak"-Sicherheitslücke öffentlich gemacht. Durch diese können Dritte Daten aus eigentlich geschützten SSL-/TLS-Verbindungen abgreifen. Damit dies aber tatsächlich möglich wird, müssen bestimmte Kombinationen aus benutztem Webbrowser und verwendetem Betriebssystem gegeben sein. Grundsätzlich sind Android-, iOS-, Windows-Phone-, Windows-, Mac- und Linux-Nutzer gefährdet. Zum Ausnutzen der Lücke müssen zudem Webseiten mit einer geschwächten Verschlüsselung angesurft werden, wie auf.

During a normal browsing with MS Windows and MAC, focus 31.08.2014
Danger in the internet: the unvisible drive-by-download
Infections by drive-by-downloads are very perfide. During the surfing in the internet, malware of infected websites can be loaded onto the computer without the possibility to notify it - article by FOCUS-Online-expert Marco Preuss reports in April 2014 about adobe-flash-player with security-lacks that can lead into trojans finding out password and credit-card-information. Updating this software is strongly recommended, same for Java. With UNIX-Systems updates, patches and bugfixes can be be performed from their original sources and that means immediately with the date of their release as much as in the following example:

Checksum helps to prevent the download of trojans out of the internet.

Inceasing amount of data theft, Tagesschau, 07.04.2014
As IT-security-experts tell among other things in conjunction with lacks in security of OpenSSL, In year 2013 data of more than half billions internet-users have been stolen as a result of online-attacks. 552 million identities are involved, as told by a security-company about six × more than 2012., 21.12.2014 tells in a report, that you still can not trust cloud computing and the own data on other far-away-server. We believe not only in security risks of cloud computing, but also in data receiving consulting companies from there. Inspite of our excurs, on the base of some other operating systems there still were a need for security experts in 2014!

Tageschau, 28.04.2014 reports about actually found out one more serios hard security lack in Internet Explorer 6 up to 11 (market share value more than 50 %, 2012, .netApplications), so that XP, no further updates available since 04.08.2014, still has to be updated and even USA advised to use other browser by so called country-protecting organizations. The troubles caused by such Internet Explorer versions would have been such big, that hacker could do harm a lot. Since the last weekend, Microsoft is looking for solutions. The security-whole conisted of a buggish memory-access that enabled users using the IE to gain access to computers to execute mailicious code and to gain control over the computer. This security-lack would have been already taken in use.

AOL email-accounts including security-requests also would have been hackened.

Yesterday Apple Apple warned against data theft due to a lack in security in OS-X. If an attacker is provided access to the same network as other users - for example the usage of abad protected WLAN-connection of a restaurant - he could be able to access data from email-transfer and other communication procedures (protocols), that should have been encrypted instead as already mentioned by Edward Snowden, his former organization would already have taken advantage upon it..

Not much can be done against fake accounts in the name of identity theft of oneself in the internet except by law. One should register oneself in the most popular social networks like facebook to make a contribute to avoid it. Such account should be suited with as few sensible data as possible and be visited regulary in this sense of maintenance.

We, Gooken, also notice, that norisbank (Deutsche Bank) gots certified many times for online banking by german certifiers like "Stitung Warentest", although, as Tagesschau reported, states do invest billons more or less against such this security of encryption! In such cases UNIX-commands like "tcptraceroute" can provide users some important facts about such online-connections ( Instead OpenSSL should strongly be updated from at least to version >= 1.0.2d past 07.04.2014 ... as part of our DVD-2 mdv2010.0-updates!

Such red marked text does not come to an end on our webside "News&Links", if it were not enough red... . Please click here!

The essential Idea: "PC-refrigerator" through airodynamic

might origin not from us, but is to do everything right at the beginning. Not software, but the exemplary, power-saving and therefore the net-adapter enburdening hardware depicted in our data sheed stands in the middle of interest here. To be more concrete, we talk about the computer tower itself, where everything should prepared for best air-cirulation. This cooling box (hardware-refrigerator) makes it possible to cool down warm air 3 up to 10 degree;C. All you need are one or better two cooler, one for the incoming air right up at the bottom of the front of the tower and one more for at the top of its back for the leaving of the air in a quit fast way. Therefore do not forget to seal the rest of the tower using plastic foils and adhensive tapes. Not only the circulating air but also the metal of the walls of the tower do also have the specifiation to increase the cooling of the inside. If possible, also follow the tip from, where the tower of the server system consists of half-cylindered metal plate between the two coolers upon the mainboard. Screen resolution and screen repition rate should be set to "auto" following an almost large rate between 59 up to 95 Hz and higher. Now, the eye-friendly graphic chip can show what is performance especially during extrem burdening play of opengl- and sdl- based computer-games-scenes, while the stable hardware might do its work forever too.

Mandriva Linux 2010 - The Calming

Therefore you almost need:

2 SSD at least a 128 GB or 1 SSD or 1 (external) harddrive of thecapacity of at least the installation-SSD or -harddrive for the restauration and the backup
1 USB-memory stick with a command dd and the partitionmanager gparted providing rescure system, Mindi, Mondo or a DVD with Knoppix (that you can download out of the internet), best, following the manual howto install on harddrive, such Knoppix on a separte, small, greater or equal 250 MB partition on the installation-SSD or harddrive and
1 directory for all the already installed packages.


See, how Linux is prepared for the endurable mouseclick-fast work with SSD:

Linux tips & tricks
Linux ready and optimized for SSD: The text of this webside is in german language, so we summarize, that we recommend the full-installation of Linux on SSD. Important seems to be the ability to trim the SSD, what can be checked out by the command "hdparm -I /dev/sda | grep -i TRIM". In /etc/fstab noatime,nodiratime,data=writeback and eventually option discard should be set for the root-, home- and the temporary partition, for SWAP use commit=0,data=writeback,discard. commit stands for the period, data are written out of the cache onto SSD. Do not set it too high, not above 600. The last thing for the SSD to make work mouseclick-fast is the installation of the rpm-packages hdparm and sdparm for el7. Following an instruction for Debian, also set in /etc/crypttab the option "allow-discards" for dm-crypt and in /etc/lvm/lvm.conf the option "allow-discards" for LVM (we resigned from LVM), for Btrfs-filesystems also set the mount-option "ssd" in /etc/fstab. The read-access-time in MB/s can be find out by "hdparm -t /dev/sda" and
one more test still uses both options -t and -T, but also option --direct ("Use O_DIRECT to bypass page cache for timings"), what leads to direct read without page cacheing. This test is almost used, as the pure data flow to the SSD within two resp. three seconds is measured: "hdparm -tT --direct /dev/sda"
Check, if the started kernel does already recognize the SSD: cat /sys/block/sda/queue/rotational
If zero resp. 0, he does! If not, please follow reports like

OK Following this report, the IO-Scheduler can be chosen: noops, deadline or CFQ. cat /sys/block/sda/queue/scheduler shows the activated one in edged brackets. After performing tests like above, choose the right one, that is almost noops, especially deadline by Grub (analogous Grub2) entering in /boot/grub/menu.lst the option "elevator=deadline" past the kernel-options beginning with kernel=... and past ro resp. rw . The Firmware-version is named by "hdparm -iv /dev/sda"

For TRIM-supporting SSD "discard" can be set not only in /etc/fstab and allow-discards not only in crypttab, but for ext4 also by command tune2fs:

tune2fs /dev/device-filename resp. ( in the case of LUKS-encryption) tune2fs -o discard /dev/mapper/container_filename

This command makes the "durable" activation of the SSD-TRIM by option "discard" without blockings much more possible

Universal-Linux BULLET-PROOF: Root-partition read only
For the Root- and Home-Partition depending on conditons, we also can set the ro-Option for read-only, if we do not want to install and update anyhting anymore, do this by following the conditions of the arcticle from,, and . Even think about the deactivation of the journalling of reiserfs by option "nolog", that keeps the SSD from writing journals (that means logs of the last stable (error-free) state before errors occured, in order to restore in error-cases). More or less, setting root-partition read-only can be considered as useful, but a little bit "paranoid":

OK "Read-only rootfs: Theory and Practice - Chris Simmonds, 2net
Configuring the rootfs to be read-only makes embedded systems more robust and reduces the wear on flash storage. In addition, by removing all state from the rootfs it becomes easier to implement system image updates and factory reset.
In this presentation, I show how to identify components that need to store some state, and to split it into volatile state that is needed only until the device shuts down and non-volatile state that is required permanently. I give examples and show various techniques of mapping writes onto volatile or non-volatile storage. To show how this works in practice, I use a standard Yocto Project build and show what changes you have to make to achieve a real-world embedded system with read-only rootfs. In the last section I consider the implications for software image update. Expect a live demonstration" # (usage at your own risk!)
The FHS allows mounting all underneath /bin, /lib, /sbin and /usr read-only. But you can extend this much more by using different filesystems for some trees and take care for special files.
Locations that must be writable are /etc, /home, /srv, /tmp, /var. The hierarchies below /dev, /proc, /selinux and /sys are already handled by special filesystems.
For /tmp you can use a tmpfs filesystem or its own filesystem. For /var it´s prefered to use its own filesystem. An example can look like this:
Device file Filesystem Mount point RO/RW
/dev/sda1 ext2 / ro
/dev/sda2 ext3
/var rw

tmpfs /tmp rw
/var/local/home bind mount /home rw
/var/local/srv bind mount /srv rw
You can use a filesystem without a journal for /, because you don´t write there and you don´t need the journal. This can be an ext4, too, hence you can take advantage of the improvements of ext4. Create the filesystem with mke2fs -t ext4 -O ^has_journal /dev/sda1 or remove the journal with tune2fs -O ^has_journal /dev/sda1.
Special files in /etc
You have to take care for some files in /etc. These are
because it´s modified on boot up; see bug 156489
Solution for mdv and el6,el7: Change the hwclock-command in /etc/init.d/reboot and /etc/init.d/halt from "hwclock --systohc" to "hwclock --systohc --adjfile=/var/local/adjtime".
Solution for Debian Wheezy:
(1) add the option --noadjfile to HWCLOCKPARS in /etc/init.d/ and /etc/init.d/
(2) fix /etc/init.d/ by replacing -f by -L in "if [ -w /etc ] && [ ! -f /etc/adjtime ] && [ ! -e /etc/adjtime ]; then"; see 520606.
alsa: init.d/alsa-utils
All versions before alsa-utils/ (@2013-10-25 concerns wheezy version) of alsa-utils package startup script creates /.pulse files, leading to multiple error messages "Failed to create secure directory" when pulseaudio is installed.
Relevant bug: 712980
because it´s modified at runtime by libblkid1
Solution:You can´t create a symlink from /etc/ to /var/local/ because, unfortunately, libblkid1 will not honor this symlink. It will replace it on every write by a file, if the filesystem is mounted for writing (e.g. while doing an apt-get install). To work around this you must set the environement variable BLKID_FILE to /var/local/ You should do this in /etc/environment to set the variable for everybody, who might do mounting.
courier imap
Courier IMAP uses a text file (/etc/courier/shared/index) for fast user lookups, if running as a mail server for virtual mailboxes (the default configuration of authenticating against pam is unaffected by this).
If using virtual mailboxes with shared accounts the file will need to be moved elsewhere, the directory /var/cache/courier/shared/ would be suitable but will need to be manually created.
Once that is done update /etc/courier/imapd and change IMAP_SHAREDINDEXFILE to IMAP_SHAREDINDEXFILE=/etc/courier/shared/index .
See for information upstream provide about this setting.
CUPS stores any kind of state files under /etc (classes.conf, cupsd.conf, printers.conf subscriptions.conf) and upstream is against any modification.
Relevant bug: 549673
Lvm stores a backup of current and archives of previous metadata in /etc/lvm/{backup,archive}. That causes any operation altering the metadata (vgreduce, vgextend, lvcreate, lvremove, lvresize, ...) to fail if / is not remounted read-write during the operation.
Solution: The location of the backup and archives is specified in /etc/lvm/lvm.conf. Set backup_dir = "/var/backups/lvm/backup" and archive_dir = "/var/backups/lvm/archive", create /var/backups/lvm and move /etc/lvm/backup and /etc/lvm/archive there.
Note: Lvm normally creates a backup during boot. This no longer happens as it is smart enough to see that /var is not yet mounted (or still read-only). But unless you use cluster lvm you will always already have a current backup from the last time you changed the metadata. So no harm done.
Relevant bugs: 372207 562234 (for etckeeper behavior WRT LVM files see 462355)
mtab used by mount
Solution: Create a symlink from /etc/mtab to /proc/self/mounts
mount.cifs (before smbfs 2:3.4.3-1) doesn´t honour this symlink and replace it with a real file; see 408394
mtab is in /etc for historical reasons as per FHS 2.3.
Used by ifupdown up to Squeeze
Solution: ifupdown links /etc/network/run to /run/network in postinst if /etc/network/run is not a directory.
rm -rf /etc/network/run
dpkg-reconfigure ifupdown
Alternatively: Create a symlink from /etc/network/run to /lib/init/rw/etc-network-run (network/run is accessed by ifupdown init scripts before /var might be mounted, therefore, the abuse of /lib/init/rw)
Systems running Wheezy will be automatically moved to using /run/network no matter what their existing configuration was.
Relevant bug: 389996
modified on boot up by the initscripts and rmnologin
This should already be a symlink to /var/lib/initscripts/nologin
In wheezy the init scripts directly modify /var/lib/initscripts/nologin
If you have only a static nameserver configuration, then there´s no problem. Otherwise you should use the package resolvconf.
passwd, shadow
These files might be modified by the user with the tools chfn, chsh and passwd. If you are the only user of you system, you can remount the filesystem read/write, before using these tools. Otherwise you might think about using NIS or LDAP.
If the dhcp3-client (AKA isc-dhcp-client) package is installed, every time a DHCP connection is established, /etc/dhcp3/dhclient-enter-hooks.d/samba creates /etc/samba/dhcp.conf, no matter if it is used or not in /etc/samba/smb.conf.
Relevant bug: 629406
suck puts files in /etc/suck which are modified by suck at runtime; see 206631 To work around this problem, you have to move /etc/suck/sucknewsrc* to a new directory /var/local/suck, create a symlink /etc/suck/suckkillfile to /var/local/suck/suckkillfile and set etcdir in get-news.conf to /var/local/suck (this sets the -dd option of suck)
If the udev rules 75-cd-aliases-generator.rules and 75-persistent-net-generator.rules are enabled, udev will try to update the files 70-persistent-cd.rules and 70-persistent-net.rules in /etc/udev/rules.d/ if needed. It is recommended to create the files once with all the rules needed and then disable the /etc/init.d/udev-mtab init script. While the root is readonly new rules are added to /dev/.udev/rules.d/.

Copy /var/lock or /var/lock/* to the mini-partition for /var. Do this also for kernel-partition /tmp or set /tmp to read-write. Copy /var/log/* to it too and link it to /tmp: "ln -sf /tmp /var/log/*".

Link the konqueror-browser-cache to /tmp: This means linking some cache-files of /home/user/.kde4 resp. /home/surfuser/.kde4 with the temporary /tmp one. Enable readonly root
To make your root filesystem mounted readonly, you must edit your /etc/fstab and set the mount option ro.
# /etc/fstab: static file system information.
# file system mount point fs-type options dump pass
/dev/hda1 / ext2 defaults,noatime,ro,errors=remount-ro 0 0
/dev/hda4 /var ext3 defaults 0 2
The option noatime is useful while the disk is mounted read/write while updates.,, und
ext4 partition READ ONLY mounten -

Next step: Deactivate journalling-feature of file systems like ext4 and reiserfs (reiserfs: nolog-option) and
disable filesystem-checks by tune2fs (ext4) resp. reiserfstune and by setting the fs-check-parameter for the root-partition to 0.

Now a correcture within /etc/rc.sysinit shall be done:
"if remount_needed ; then
action "Remounting root filesystem in read-write mode: " mount -n -o remount,rw /
"if remount_needed ; then
action "Remounting root filesystem in read-write mode: " mount -n -o remount /

At last the kernel-option "ro" should be entered in /boot/grub/menu.lst for grub, for example behind "root=UUID...".

Never mind or nevertheless, If these steps for setting the root-partition read-only do not help, try the following article:

Generally, the security level of software is not only presented by stability, but also by the freeness of errors and warnings during the compilation of their source codes listed by the compiler. Kernel-2.6.32 (el6) consits of many of them and most of them are caused by kmem.h, while kernel-5.4.249 (PCLinuxOS) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos, mga6) resp. kernel- (mdv2011) runs error-free on our system without any warnings during the compilation time of around four hours! The only thing remaining is to patch with the dirty-cow-patch in mm.h and memory.c (listed in the internet). You can get acutal patches for this kernel from see our section for updates.

After the installation of kernel-4.19 (pclos), lookout for the requirements and install missing ones like kmod (pclos): "rpm -qi --requires kernel-4.19....".

New Kernel: Configuration and Installation out of its source

How to install a new kernel: Download and install all binary packages (rpm resp. deb) required for the kernel. Then download and enpack the kernel-source-rpm into /usr/src either by "tar -xvjf kernel-source-package" or file-roller. A new directory named "linux-kernelversion-xxx" or "kernel-source-xxx" is created within /usr/src.
Link this new directory to a linking file named linux: "ln -sf linux-xxx linux" resp. "ln -sf kernel-source-xxx linux".
Change into this directory linux resp. linux-xxx resp. kernel-source-xxxx and call "menu oldconfig". A file .config is created to configure the kernel.

Set the Kernel-Version at the top of the makefile.
Type "menu xconfig" or "menu gconfig" or "make menuconfig" and configure the kernel-drivers and so on needed (CC), needed as modules (CC MM) and such to resign from.

FSE (full system encryption) prevents from chroots, mounts (see "man mount") and bootups especially through systems on USB-sticks and from CD/DVD in order to read all kind of data from storage media like harddrives and memory (RAM) and data theft and so on.

For FSE (full system encryption) by dracut, two options have to be enabled, what is already done in kernel-desktop (mdv2011) but not kernel (el6):
within the first item "General Setup"enable "Initial-RAM-filesystem and RAM-disk-support"and in "general drivers" enable the option "Maintain a devtmpfs at /dev/ with subitem "automount devtmpfs at /dev, after the kernel mounted the rootfs".
If you do not know, what to enable or not, choose MM to load as a module wherever possible.

Linus Tovald called the grsecurity-patches rubbish (PRO-LINUX, 2017, 2018):
Nice description, but as far, as I know this kernelmodule does following.
The system is been protected by disallowing several things

- ´texec´ : TPE protection (Trusted Path Execution, more on this later)

- ´procfs´ : procfs protection

- ´hardlink´ : hardlink create protection

- ´symlink´ : symlink follow protection

- ´rawdisk´ : rawdisk protection

- ´pipe´ : Pipe (FIFO) protection

- ´trace´ : process trace protection

- ´systable´ : syscall table checking

- ´logging´ : if you want logging, turn this on

- ´persist´ : by default this is set to 0, so the module can be unloaded, but you may set it to 1 to make it unremovable

- ´capbits´ : set the capbits value. You have to supply a certain mode for the capbits variable.

Hardlink/symlinkprotection protects the system from making this links for users.
Persist sets a capability that the module cannot be unloaded.
Capbits are kernelbits, that define certain rights even for root - in normal
case root could do allmost anything.
Like in all cases you have to know, what you do, because with that module
loaded some processes will not have the full rights they need.
For example I tried a /proc protection module and hotplug freezed after that
(not funny).
There is no real desription of anything reguarding that module and I don´t
know, which bits to set and which not!
Another thing is the opensource thing within that modules, because you can only use them on SuSE (with some disadvantages you can use the
firewallscript on Debian and Red Hat).
It is allways a nice thing to make more a secret of a thing, than
describing, how it works.

OKgrsecurity-patch - Components (similar to secumod),
kernel source: subdirecotry of /usr/src/kernel-version/, "patch -p1 < ../grsecurity.patch"


A major component bundled with grsecurity is PaX. Among other features, the patch flags data memory, the stack, for example, as non-executable and program memory as non-writable. The aim is to prevent memory from being overwritten, which can help to prevent many types of security vulnerabilities, such as buffer overflows. PaX also provides address space layout randomization (ASLR), which randomizes important memory addresses to reduce the probability of attacks that rely on easily predicted memory addresses.
Role-based access control
Another notable component of grsecurity is that it provides a full role-based access control (RBAC) system. RBAC is intended to restrict access to the system further than what is normally provided by Unix access control lists, with the aim of creating a fully least-privilege system, where users and processes have the absolute minimum privileges to work correctly and nothing more. This way, if the system is compromised, the ability of the attacker to damage or gain sensitive information on the system can be drastically reduced. RBAC works through a collection of roles. Each role can have individual restrictions on what it can or cannot do, and these roles and restrictions form an access policy which can be amended as needed.
A list of RBAC features
: Domain support for users and groups
Role transition tables
IP-based roles
Non-root access to special roles
Special roles that require no authentication
Nested subjects
Support for variables in the configuration
And, or, and difference set operations on variables in configuration
Object mode that controls the creation of setuid and setgid files
Create and delete object modes
Kernel interpretation of inheritance
Real-time regular expression resolution
Ability to deny ptraces to specific processes
User and group transition checking and enforcement on an inclusive or exclusive basis
/dev/grsec entry for kernel authentication and learning logs
Next-generation code that produces least-privilege policies for the entire system with no configuration
Policy statistics for gradm
Inheritance-based learning
Learning configuration file that allows the administrator to enable inheritance-based learning or disable learning on specific paths
Full path names for offending process and parent process
RBAC status function for gradm
/proc/<pid>/ipaddr gives the remote address of the person who started a given process
Secure policy enforcement
Supports read, write, append, execute, view, and read-only ptrace object permissions
Supports hide, protect, and override subject flags
Supports the PaX flags
Shared memory protection feature
Integrated local attack response on all alerts
Subject flag that ensures a process can never execute trojaned code
Full-featured, fine-grained auditing
Resource, socket, and capability support
Protection against exploit bruteforcing
/proc/pid filedescriptor/memory protection
Rules can be placed on non-existent files/processes
Policy regeneration on subjects and objects
Configurable log suppression
Configurable process accounting
Human-readable configuration
Not filesystem or architecture dependent
Scales well: supports as many policies as memory can handle with the same performance hit
No run-time memory allocation
SMP safe
O(1) time efficiency for most operations
Include directive for specifying additional policies
Enable, disable, reload capabilities
Option to hide kernel processes

Chroot restrictions
grsecurity restricts chroot in a variety of ways to prevent various vulnerabilities and privilege escalation attacks, as well as to add additional checks:
No attaching shared memory outside chroot
No kill, ptrace (architecture-independent), capget, setpgid, getpgid and getsid outside chroot
No sending of signals by fcntl outside chroot
No viewing of any process outside chroot, even if /proc is mounted
No mounting or remounting
No pivot_root
No double chroot
No fchdir out of chroot
Enforced chdir("/") upon chroot
No (f)chmod +s
No mknod
No sysctl writes
No raising of scheduler priority
No connecting to abstract unix domain sockets outside chroot
Removal of harmful privileges via cap

Miscellaneous features
Among other things, it can be configured to audit a specific group of users, mounting/unmounting of devices, changes to the system time and date, and chdir logging. Some of the other audit types allow the administrator to also log denied resource attempts, failed fork attempts, IPC creation and removal, and exec logging together with its arguments.
Trusted path execution is another optional feature that can be used to prevent users from executing binaries not owned by the root user, or world-writable binaries. This is useful to prevent users from executing their own malicious
binaries or accidentally executing world-writable system binaries that could have been modified by a malicious user. grsecurity also hardens the way chroot "jails" work. A chroot jail can be used to isolate a particular process from the rest of the system, which can be used to minimise the potential for damage should the service be compromised. There are ways to "break out" of a chroot jail, which grsecurity attempts to prevent.
There are also other features that increase security and prevent users from gaining unnecessary knowledge about the system, such as restricting the dmesg and netstat commands to the root user.[13]
List of additional features and security improvements:
/proc restrictions that do not leak information about process owners
Symlink/hardlink restrictions to prevent /tmp races
FIFO restrictions
dmesg restriction
Enhanced implementation of trusted path execution
GID-based socket restrictions
Nearly all options are sysctl-tunable, with a locking mechanism
All alerts and audits support a feature that logs the IP address of the attacker with the log
Stream connections across Unix domain sockets carry the attacker´s IP address with them (on 2.4 only)
Detection of local connections: copies attacker´s IP address to the other task
Automatic deterrence of exploit brute-forcing
Low, medium, high, and custom security levels
Tunable flood-time and burst for logging

Activate only those options, that will not lead into serious hard malfunctionings of the kernel!

OKInstall paxctld (rpm or tarball from

Save the new .config.
Three possibilites, after the patching of the source-code (in our case the dirty-cow-patch):
make -i rpm (to create the binary kernel-rpm package, what endures on our system for around four hours)
make bzImage (to create its core vmlinuz for /boot only after renaming the created file bzImage: time needed: around 30 minutes) or
make bzImage &&make modules &&make modules_install for the installation of the kernel-modules too.
Copy the bzImage to /boot, rename it to vmlinuz-kernelversion.
Use mkinitrd resp. in the case of FSE (Full Disk Encryption resp. encrypted root-partition) dracut to create the initrd resp. initramfs within directory /boot.
If you use grub as the bootloader and not grub2 and the configufile is still not configured for the new kernel, do this by editing /boot/grub/menu.lst and exchanging the vmlinuz-kernel-versions. If a new initramfs or initrd is created, enter them in the line for initrd.

In our /grub/menu.lst, quit the same for grub2, the resulting entry for FSE (Full System Encryption) performed according to by gentoo-Schnatterente is:
title dracut-mdv-008-Linux
password --md5 $103Axa2112...
kernel (hd0,7)/vmlinuz BOOT_IMAGE=dracut-mdv-008-Linux root=UUID=2193ab... resume=UUID=2193ab... rootfstype=ext4 elevator=deadline nosmp security=none panic=0 apparmor=0 selinux=0 disable=IPV6 audit=0 hibernate=protect_image iomem=strict nosmp iomem=relaxed speedboot=yes KEYMAP=de LANG=de_DE.UTF-8 intel.modeset=1 intel.dpm=1 rd.luks=1 rd.lvm=0 rd.luks.allow-discards rd.luks.uuid=ab1....vga=795 video=VGA-1:1366×768 tz=Europe/Berlin
initrd (hd0,7)/initramfs

0 of (hd0,7) stands for sda, 1 for sdb usw. and 7 for the boot-partition sda8, deadline for the SSD optimizing elevator resp. scheduler to choose, what is introduced soon through the configuraiton by special echo-commands.

Set resume=UUID=... from above to the UUID from root=UUID=... from above (UUID of the Luks-encrypted root-partition) ! Also eventually set the boot-parameter noinitrd.

OK kernel.yama.ptrace_scope=3
# 0 - Default attach security permissions.
# 1 - Restricted attach. Only child processes plus normal permissions.
# 2 - Admin-only attach. Only executables with CAP_SYS_PTRACE.
3 - No attach. No process may call ptrace at all. Irrevocable.

echo "kernel.yama.ptrace_scope=3" > /etc/sysctl.d/10-ptrace.conf


The rescue-system Knoppix (Debian Linux, in our case Wheezy ol´ stable i386 (32 bit) from year 2010 with partition-manager gparted and dd, browser iceweazel and many tools and software) copied from DVD to an extra partition of at least 250 MB is listed in /boot/grub/menu.lst of the bootmanager Grub as follows:

title Rescue
kernel /boot/isolinux/linux knoppix keyboard=de lang=de_DE.UTF-8 desktop=kde tz=Europe/Berlin
initrd /boot/isolinux/minirt.gz


It boots within few seconds and makes password-request to make it run and to get decrypted from its partition. After the login, in order to decrypt all the other LUKS-encrypted partitions, LUKS/dm-crypt should be installed, so at first packet cryptsetup has to be downloaded from the Debian-pool ( Update glibc too. If you want, you can update and/or increase this system up to a more comfortablel Debian Linux on an enlarged partition.

Information about the availability of TRIM of a SSD for the TRIM with discard-option on the base of ext4 out of /etc/fstab:

hdparm -I /dev/sda | grep -i trim

Our partition-concept for MCC-" partition manager (local harddrives) or gparted upon parted,
our partiitions on SanDisk SSD 120 GB:
OK LUKS-(cryptsetup)-encrypted extra partition (for sensible data and so on, with a key-file, that means for automatic encryption and decryption): 29 GB
OK LUKS-(cryptsetup)-encrypted root-partition ("schnatterschnatter - but no ente"quot;): 50 GB
OK LUKS-(cryptsetup)-encrypted (urandomed self de- and encrypting) SWAP-partition: 1,9 GB (2 GB RAM)
OK Boot-partition (unencrypted, so that this partition should be backuped to compare files like kernel named vmlinuz with md5sum or sha1sum) : 203 MB
OK KNOPPIX-encrypted-partition Knoppix (rescue system from DVD, a up to year 2016 actualized Debian Ol´ Wheezy from year 2010 with gparted, dd and much more. LUKS (cryptsetup) should be installed additionally too for editing above listed other partitions): 894 MB
OK LUKS-(cryptsetup)-encrypted home partition (encrypted and decrypted automatically during boot by a once generated belonging key-file from the root-partition): 34 GB

Advantage: easy handling, without Logical Volume Management (LVM) !

This all 1:1 upon another securing media, in our case the same one and therefore one more SanDisk 120 GB.

OK /etc/crypttab
# <target name> <source device> <key file> <options>
cryptohome UUID=.... /somewhere/keyfile luks,data=ordered,allow-discards
cryptswap /dev/sda_certain_number /dev/urandom swap,check=/bin/true,data=ordered,allow-discards

setkey y z
setkey z y
setkey Y Z
setkey Z Y
setkey equal parenright
setkey parenright parenleft
setkey parenleft asterisk
setkey doublequote at
setkey plus bracketright
setkey minus slash
setkey slash ampersand
setkey ampersand percent
setkey percent caret
setkey underscore question
setkey question underscore
setkey semicolon less
setkey less numbersign
setkey numbersign backslash
setkey colon greater
setkey greater bar
setkey asterisk braceright
timeout 10
password --md5 ...
default 0
kernel (hd0,7)/vmlinuz BOOT_IMAGE=linux root=UUID=c1... rd.luks.allow-discards rootfstype=ext4 nosmp elevator=deadline security=none nosmp speedboot=yes panic=0 apparmor=0 iomem=strict hibernate=protect_image disable=IPV6 selinux=0 audit=0 KEYMAP=de LANG=de_DE.UTF-8 intel.modeset=1 intel.dpm=1 rd.luks=1 rd.multipath=0 rd.lvm=0 rd.luks.uuid=3... video=VGA-1:1366×768 vga=795 tz=Europe/Berlin desktop=kde
initrd (hd0,7)/initramfs-4.9.49

The root-partition seems to be sized quit small, so choose 60 GB instead of 50, we suggest to the disadvantage of the extra partition.

Order each entry in the device-configuration-file /etc/fstab: 1 device-file (partition or disc))/device/UUID/kernel-partition 2 mountpoint 3 filesystem 4 mount-options 5 Dump 6 fsck (self-check during the system start resp. boot), details:

OK So in /etc/fstab we can set for ext4 (discard supported), ext3 (withoud discard), reiserfs (without discard), reiser4fs (discard), btrfs (discard), vfat (without discard):

OKroot-partition: UUID=... / ext4 notail,noatime,nodiratime,barrier=flush,data=writeback,nouser,user_xattr,mode=500,async,commit=0,umask=077,iocharset=utf-8,acl 0
OKBootpartition (hier wegen dracut): UUID=... /boot ext4 noatime,nodiratime,ro,nouser,nouser,noexec,async,nosuid,mode=500,umask=077,user_xattr,data=writeback,commit=0,iocharset=utf-8,acl 0 3
OKHome-Partition: /dev/mapper/cryptohome /home ext4 rw,suid,nodev,noexec,nosuid,auto,async,noatime,nodiratime,discard,data=writeback,commit=0,nouser_xattr,barrier=1,journal_checksum,mode=700,umask=077,errors=remount-ro,iocharset=utf-8 0 # automatic cryptsetup is recommended (cryptsetup-option --key-file): Only access over the root-partion with the stored key-file will be possible. Acess-rights for the key-file: chown root:root path_to_key_file/key.asc && chmod 400 /patch_to_key_file/key.asc
# exec or noexec
OK /dev/cdrom /media/cdrom auto umask=0,users,noauto,iocharset=utf8,ro,noexec 0 0
OKproc /sid-root/proc proc notail,noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,data=writeback,mode=555,hidepid=2,gid=user,surfgroup,torgroup 0 0 # mouseclick-fast
none /proc proc notail,noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,data=writeback,mode=555 0 0
OK# usbfs /proc/bus/usb usbfs rw,relatime,devgid=43,devmode=664,noexec 0 0 # if not already mounted during system boot; notice: MCC-Partiton-Manager and so on will miss /proc/bus/usb
OKsysfs /sid-root/sys sysfs notail,noatime,nosuid,nodiratime,rw,noexec,nouser,nosuid,nodev,data=writeback,mode=555 0 0
OKTemporary, tmp ins RAM::
OKtmpfs /tmp tmpfs noatime,nodiratime,noexec,ro,nodev,nouser,nosuid,mode=1777,size=8M 0 0 # original tmp, that was made hidden by firejail using option "private-tmp" within any /etc/firejail/config-files
OKshm /tmp tmpfs noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,mode=1777 0 0
OKtmpfs /tmp2 tmpfs noatime,nodiratime,noexec,ro,nodev,nouser,nosuid,mode=1777,size=128M 0 0 # one more tmp for the down- and uploads
OKshm /tmp2 tmpfs noatime,nodiratime,noexec,rw,nodev,nosuid,nouser,mode=1777 0 0
OK/dev/mapper/cryptswap swap swap defaults,discard,rw,data=writeback 0 0
OKnone /dev/pts devpts mode=620,gid=5,rw
OKUUID=... /var/local ext4 rw,noatime,nodiratime,nosuid,aync,nodev,noexec,user_xattr,acl,barrier=1,data=writeback,mode=755,umask=077,commit=0,iocharset=utf8 # needed in small size of around 1 GB in order to mount the root-partition read-only
OKbinfmt /proc/sys/fs/binfmt_misc binfmt_misc rw,noatime 0 0 # binfmt_misc is a capability of the Linux kernel which allows arbitrary executable file formats to be recognized and passed to certain user space applications, such as s emulators and virtual machines. The executable formats are registered through a special purpose file system interface (similar to /proc). Debian-based distributions provide the functionality through an extra binfmt-support package.[1]...see

securityfs /sys/kernel/security /mnt/any_mountpoint securityfs rw,noatime 0 0 # lsm, secure fs for kernel-security-modules ... or mount it within /etc/rc.local by "mount -t securityfs -o rw,noatime /sys/kernel/security /mnt2"
# and /etc/fstab of our USB-stick:
/dev/sda1 / unionfs 0 1

/dev/mapper/usbstick1 /media/mnt_usb1 vfat rw,nosuid,nodev,uhelper=hal,users,noexec,uid=10001,utf8,shortname=mixed,flush,umask=077 0 1 # An entry in /etc/crypttab only instead of both files fstab and crypttab is sufficient. LUKS-encrypted USB-memory-stick with UUID (you can find out by mount -l ) and name usbstick1 within /etc/crypttab. Also think about mounting this encrypted USB-stick without having to enterthe password for encryption manually each system boot by creating a key-file or using the already present one from cryptohome, adding this key-file to /etc/crypttab and assocating it with the USB-stick by the command "cryptsetup luksAddKey /dev/sdc1 /path_to_keyfile/keyfile". Notice, that it might not be necessary to add this entry for an USB-memory stick in /etc/fstab here. Do this only in the case of problems with their hotplug!

OK/etc/fstab: Set the UUIDs instead of the named device-partitions Find out the UUIDs with the console-command "blkid" (this is not possible for the internal kernel-partitions).

OKAHCI-Mode: BIOS-setup for SSD
Start the Bios- / Firmware-setup and look, if the AHCI-Modus (Advanced Host Controller Interface) for the SATA-adapter is active. Alternatively "RAID" is possible too.
You can almost find the option in the menu under "Advanced -> Integrated Peripherals", "SATA Configuration" or "PCH Storage Configuration". Elder mainboard-platines do also have the option "IDE", in order to increase the throughput of the harddrives, if not chosen. If there is provided only "IDE", you must resign from the SATA-optimization.
On a side for overview ("System Status" or similar side) you almost find infomation about the SATA-Port the harddrives get connected. New motherboards only do have SATA-ports with fast 6 GBit/s (SATA III) and any port can be used. SATA II as much as SATA I fullfill our criteria to make all running mouseclick-fast.

OK And in /etc/rc.local (started by adding "sh /etc/rc.local" from any activated bootscript of /etc/init.d/, followed by a system-restart) for optimized SSD (in our example on the first S-ATA-port named sda) we choose the following parameters after a check with "hdparm -I /dev/sda": and "man hdparm":

hdparm -W1a0A0 /dev/sda (also try other optimizing parameters of hdparm)
echo deadline > /sys/block/sda/queue/scheduler
echo 500 > /proc/sys/vm/dirty_writeback_centisecs
echo 20 > /proc/sys/vm/dirty_ratio
echo 5 > /proc/sys/vm/dirty_background_ratio
touch /var/lock/subsys/local

SSD: commit=0: mouseclick-fast

Option defaults consists of the for security significant async,nouser,rw,suid,dev,exec,auto.

man mount: "All I/O to the filesystem should be done synchronously. In case of media with limited number of write cycles (e.g. some flash drives) "sync" may cause life-cycle shortening." In other words, for SSD prefer option async!

The namely security advised option "W0" instead of elected W1 deactivates the write-cache of the SSD, what protects data even more in the case of system hangons and breakdowns. More parameters of hdparm are explained by "hdparm -h" and manpages, see "man hdparm".Notice, that for more performcance "W1" for write-cacheing is generally recommended.

The pair of number from above like "0 1" stands for dump equal to no and fsck equal to yes, while the number itself stands for 0 none (no check), 1 recommended for the root-partition, 2 for all other partitionss and 3 for all less important partitions. With these setting, named filesystem can not be damaged anymore, otherwise, if ever thinkable, use manually "reiserfsck --no-tree device_file" to do its best for reiserfs.

umask: generally sets the access-rights as a subtrahend: Set umask 022 standing for less or equal 755 resp. umask 077 for less or equal 700 for the root- and home-partition in /etc/fstab and also in: /etc/profile, /etc/login.defs, /home/user/.bash_profile, /home/surfuser/.bash_profile, /root/.bash_profile, ROOT_UMASK=077 in /etc/security/msec/ and USER_UMASK=077; acl: enable POSIX Access Control Lists.

Keep everything as SSD-friendly and mouseclick-fast you can, link the browser-cbache of Konqueror to the temporary directory /tmp being part of shm (shared memory, RAM) from fstab above:

OKrm -df /home/surfuser/.kde4/cache-localhos and ln -sf /tmp /home/surfuser/.kde4/cache-localhost, /home/surfuser/tmp, /home/user/.kde4/cache-localhost, /home/user/.kde4/socket-localhost, /home/user/.kde4/tmp, /home/user/.kde4/tmp-localhost and

ln -sf /tmp/kde-user /home/user/.kde4/tmp-localhost.localdomain, ln -sf /tmp/kde-surfuser/.kde4/tmp-localhost.localdomain . In the long run this spares plenty of cleaning. Do not link cache-localhost.localdomain and socket-localhost.localdomain, as this might cause some problems starting KDE.

OKln -sf /tmp /home/alluser/.cache2 && rm -dfr /home/alluser/.cache &&rename /home/alluser/.cache2 /home/alluser/.cache /home/alluser/.cache2

bleachbit (el6, cleaner): This program can cause serious hard damage!

We go on for SSD: Option discard is not functioning each kernel and SSD. commit sets the interval or frequency for write-operations, what is 5s per default. It is not recommended to change this value. barrier is one more feature of ext4 and ext3 caring for writing (coherent) data right in front of a barrier before such coherent data are writtten behind it. barriers=1 effects more securirty, while barriers=0 contributes to more perfmormance. ro for read-only still should not be set for the root-partition. This would have caused "skipping journal replay". data=writeback means "Data ordering (data=ordered) is not preserved, data may be written into the main file system after its metadata has been committed to the journal.", options see . Most options are accepted by ext3 too, but not reiserfs. Notice, that reiserfs does not accept all of the listed options like barrier, errors and discard, inspite of this option nolog is accepted. Test options by "mount -o options devicefile mountpoint", before they are set in /etc/fstab!

rpm-description cmospwd (el6): "CmosPwd decrypts password stored in cmos used to access BIOS SETUP. Works with the following BIOSes * ACER/IBM BIOS * AMI BIOS * AMI WinBIOS 2.5 * Award 4.5x/4.6x/6.0 * Compaq (1992) * Compaq (New version) * IBM (PS/2, Activa, Thinkpad) * Packard Bell * Phoenix 1.00.09.AC0 (1994), a486 1.03, 1.04, 1.10 A03, 4.05 rev 1.02.943, 4.06 rev 1.13.1107 * Phoenix 4 release 6 (User) * Gateway Solo - Phoenix 4.0 release 6 * Toshiba * Zenith AMI With CmosPwd, you can also backup, restore and erase/kill cmos."

So at first, generally the best thing one can do, is to abrogate the complete internet-access (what we do not suppose...) and to get a spare-parted backup-SSD or harddrive for the case of all the on mdv2010 remaining unsolved dependencies of packages your are going to install, that means in order to

Browser-Cache into RAM
about:config ->, to add a new entry type string
with the value /shm
After a newstart, firefox is cached into RAM. Go quit the same way for other browsers, source: For Konqueror just link directory /home/username/.kde4/localhost-cache to /shm.

Convince yourself to get gnutls (el7) with libtasn1 (el7) installed. Otherwise gnutls might not work correctly for firefox.

backup partitionwise 1:1 by command dd (details see below)

OKFlashrom, Coreboot
Have a second BIOS-chip. Save the actual BIOS-firmware of the used BIOS-chip into a bin(ary) resp. rom-file. This can be done by an utility from the disc with drivers for the mainboard, out of the internet or by the UNIX-(Linux)-program called flashrom. flashrom is a utility for detecting, reading, writing, verifying and erasing flash chips. It´s often used to flash BIOS/EFI/coreboot/firmware images in-system using a supported mainboard, but it also supports flashing of network cards (NICs), SATA controller cards and other external devices, which can program flash chips. On malfunction especially after the powering on of the computer, you can flush the BIOS through the backup up right from the desktop, if not, you have to exchange the chip or the net-adapter, same for the RAM, that can be checked by progs of UNIX (Linux) like memtest. For the protection against wiretapping bedbugs care for "chassis intrusion detection", for the usage of as few USB-cards as possible, if the BIOS is resetted and if there are any hearable feedbacks from hardware inspite of FCC. Compare constructions and notice any specifications direct from the platines like the manufacturer-types or -ID . With some luck, a radio tunes their frequencies.

"Welcome to coreboot!
coreboot is an Open Source project aimed at replacing the proprietary BIOS (firmware) found in most computers. coreboot performs a little bit of hardware initialization and then executes additional boot logic, called a payload. With the separation of hardware initialization and later boot logic, coreboot can scale from specialized applications that run directly from firmware, run operating systems in flash, load custom bootloaders, or implement firmware standards, like PC BIOS services or UEFI. This allows for systems to only include the features necessary in the target application, reducing the amount of code and flash space required.
coreboot currently supports over 230 different mainboards. Check the Support page to see if your system is supported."


If Linfw3 is used, so that root and all other user except a special surfuser get blocked, and if all other methods introduced here on this webside are performed, no password hacking and cracking is ever possible anymore, even not after the password got known by other ones and independent from its name or constitution or who and whatever, neither from the outside (net), inside (software) nor direct at office or home or anywhere. Keys for the LUKS-encrypted partitions must be stored on a portable USB-memory-stick, better memory-/chip-card or fingerprint-scanner

Password-protection on our introduced exemplary system:
Grub-md5-Password for all bootable partitions and memory-check within /boot/grub/menu.lst
Special (own) inportable password for always LUKS-encrypted partitions on the base of FSE (Full System Encryption) with keys (passwords) for the dracut-enbound root-Partition on a LUKS-password encrypted USB-memory-stick, rest (see exemplary listed /etc/fstab) as sha2-key-file for user:group root:root and chmod 400 within any directory of the root-partition
Secured LUKS-root-partition with manual password-login onto a separate storage media for the cass of data loss from USB-memory-stick etc.
ACL-locked su-login for "surfuser"
Keys (passwords) for the additional encryption of e-mail and single directories and files with gnupg (kgpg) within the for "surfuser" by ACL inaccessible made directory .gnupg
desktop-manager: user-password for kdm and other desktop manager (or simplefying automized login free from password-entry)
Passwörds for LUKS-encrypted USB-memory-sticks
Password-manager for the twice password-encrypted access storage for all other passwords: revelation (el6, el7, rosa2014.1, rosa2016.1, fc 2X)
/etc/shadow (password-)file: chown root:root and chmod 400
OKinacccessible shell-bash-login in /etc/passwd and eventually usage of sandbox firejail with option "shell none"

Password protection, Focus, 11.04.2015
Snowden meant, hacker could hack a primitive password within one second. But the whistleblower gives tipps, how to keep passwords safe, so that they can not be hacked: by passphrases. Most passwords are simple variants like "12345678", "password" or the forename of the user. Edward Snowden thinks, passwords with the length of eight characters still do remain very insecure. They could be hacked by supercomputers in less than one second. Passphrases are passwords consisting of more than one word. Long, one time appearing sentences like


are easy to remember and combine different characters. They could not be decrypted by hacking programs.

A similar uncrackable method for password generation is described by on .

Expert explains: The perfect password would be cracked by hackers in 227 millionen years, FOCUS Online, 09.05.2018

Passwords are stored in the, as we hope, only root-accessible /etc/shadow for Linux. This file is handled over /etc/passwd listing usernames, belonging groups, "x" as a replacement for the password to read-in and so on.

All sensible data should never be stored on the onboard resp. plugged-in storage-media, SSD and harddrives and only onto those unplugged ones containing the backups and onto well-encrypted USB-memory-sticks!

More Internet Security
pam_shield (el6): pam_shield is a PAM module that uses iptables to lock out script kiddies that probe your computer for open logins and/or easy guessable passwords. pam_shield is meant as an aid to protect public computers on the open internet. An IP can also be entered manually by the command shield-trigger add into the belonging database, same through "del" for deletion..pam_shield should get configured in /etc/security/shield.conf.
fail2ban (el6): Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.

DenyHosts is a Python script that analyzes the sshd server log messages to determine which hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host and, upon discovering a repeated attack host, updates the /etc/hosts.deny file to prevent future break-in attempts from that host. Email reports can be sent to a system admin.

If you beware this principle, the computer generally provides the promised security for you.

Of course we tested and possess MS Windows. As we all know, it is not sufficient just to install an operating system and security-software to call the computer-system really secure, while finding out, that effective solutions may cost time! Installation should be done by users with the rights of the system-administrator only. During installation the signatur helps to be aware of the origin of software. Before the installation itself, packet-manager check out dublications and dependencies. If a packet is ever missing, packet-manager like urpmi can download and install all needed packages from different sources and the internet. to solve them. After that, version-control by CVS (Version Controlling Systems) can also do their best. The packet-database seems to be similar to the MS-Win-registry, but it is not such complex. If the packet-database should ever be damaged, it can be repaired in a simple way by the commands rm -f /var/lib/rpm/__* and rpm --rebuilddb. If this should not help, start the MCC packet-manager rpmdrake, in order to install any packet. rpmdrake is almost able to solve such conflicts. Notice, that MCC´s downloaded files are at least temporary in directory /var/cache/urpmi/rpms. Not all of the infinite amount of packet-dependencies are solved, even not in mdv2010!

OKHow to Rebuild Corrupted RPM Database in CentOS, Aaron KiliJune 1, 2018 Categories CentOS 3 Comments
The RPM database is made up of files under the /var/lib/rpm/ directory in CentOS and other enterprise Linux distributions such as RHEL, openSUSE, Oracle Linux and more.
If the RPM database is corrupted, RPM will not work correctly, thus updates cannot be applied to your system, you encounter errors while updating packages on your system via YUM package manager. The worst case scenario is being unable to run any rpm and yum commands successfully.
There are a number of factors that can lead to the RPM database corruption, such as incomplete previous transactions, installation of certain third-party software, removing specific packages, and many others.
In this article, we will show how to rebuild a corrupted RPM database; this way you can recover from an RPM database corruption in CentOS. This requires root user privileges, otherwise, use the sudo command to gain those privileges.
First start by backing up your current RPM database before proceeding (you might need it in the future), using the following commands.
# mkdir /backups/
# tar -zcvf /backups/rpmdb-$(date +"%d%m%Y").tar.gz /var/lib/rpm
Next, verify the integrity of the master package metadata file /var/lib/rpm/Packages; this is the file that needs rebuilding, but first remove /var/lib/rpm/__db* files to prevent stale locks using following commands.
# rm -f /var/lib/rpm/__db*
# /usr/lib/rpm/rpmdb_verify /var/lib/rpm/Packages
In case the above operation fails, meaning you still encounter errors, then you should dump and load a new database. Also verify the integrity of the freshly loaded Packages file as follows.
# cd /var/lib/rpm/
# mv Packages Packages.back
# /usr/lib/rpm/rpmdb_dump Packages.back | /usr/lib/rpm/rpmdb_load Packages
# /usr/lib/rpm/rpmdb_verify Packages
Now to check the database headers, query all installed packages using the -q and -a flags, and try to carefully observe any error(s) sent to the stderror.
# rpm -qa >/dev/null #output is discarded to enable printing of errors only
Last but not least, rebuild the RPM database using the following command, the -vv option allows for displaying lots of debugging information.
# rpm -vv --rebuilddb
Now to check the database headers, query all installed packages using the -q and -a flags, and try to carefully observe any error(s) sent to the stderror.
# rpm -qa >/dev/null #output is discarded to enable printing of errors only
Read Also: 20 Practical Examples of RPM Command in Linux:

Indeed: Our experience in mdv2010 tells us, that the only weak point grounds still in the overwhelming amount of existing packet-dependencies during an intensive installation of packages online (with a high amount of packages) by rpmdrake from MCC (drakconf) quit "at once" of a complexity much higher than from installation-DVD. Therefore we recommend not to download too many packets, not more than 50 "at once" and to have a look into the directory /var/lib/urmpi/rpms, where the not installed packages are still stored, if MCC is set to "do not empty the packet-cache after download" before. Then error-messages of the reinstallation by packet-manager like rpm, urpmi and yum almost tell what to do next - if there is inspite of checks of rpmdrake within the packet still any rpm, especially library-rpm, missing or if one rpm conflicts with another one to delete it before reinstallation is possible.

We repeat: agesschau, 07.31.2014: Actually scientific experts found out, that sensible data can be read out through microcontrollers (processors) from USB-sticks, see the report from our linkside under the point links! Therefore a new USB-standard is devoloped. By this, all data of computers can be read out, even passwords and email-contents as much as devices be steered like webcams. The operating sytem does not notice all of this, as it believes in key-strokes and not software attacks.


Mouseclick-fast: We almost have just the following services activated through MCC: NetworkManager, acpid, alsa, cups, dnsmasq, gpm, ip6tables, iptables, jexec, linfw3, lm_sensors, partmon, postfix, sound, sysstat, udev-post, uuidd, wine and sometimes ntpd and httpd.

That´s all. So service network got deactivated too by command "chkconfig --level 2345 network off".

Increase the surf-speed with the browser, press STRG and ESC, choose the process for the browser by right clicking onto him and pull the appearing shift register for the process-priority at least one quarter length right. Alternatively use the terminal-commands nice and renice for a priority between -20 and 19 incl., default is 0 (source. Focus Onine, 07.11.2015); Gooken recommends extrem high priorities for Dolphin, Kmail, Kontact, Kopete, Office, some OpenGL- and SDL-games (if useful) and Konqueror and/or any other browser,

Brake block and espionage: "root,-1", ( dangerous, speed lowering ) (system-)process named unknown (for login under uid:0) of owner "root,-1" with changing PID and unknown dimesioned CPU-enburdening "kept secret"

In advance, this might really help: setfacl -m u:root:- /usr/libexec/gam_server
. Also exchange gamin (mdv2010) with gamin (pclos2017).
Such a process is called a "comet" by systems administrators.
The process group ID (PGID) doesn´t change on fork, so you can kill it (or SIGSTOP it) by sending a signal to the process group (you pass a negated PGID instead of a PID to kill).
answered Dec 1 ´12 at 1:18
What if it calls setpgid/setsid each time too? :-) - R.. Dec 1 ´12 at 2:28
The only reason, I can see, why you wouldn´t see it is, that the forked child has not been created yet but the parent has progressed far enough in it´s death that it is no longer listed.
Unfortunately I don´t think it´s possible to kill this kind of process without some guessing. To do so would require knowing the next pid in advance. You can guess the next pid but not be certain that no other pid gets it assigned.

We generally want to get rid of such processes: Wait for our new experiences at this place! Mouseclick-fast and secure: the ultimative speed boost beneath SSD-technology from see data-sheed: At first, update the gam_server (gamin (fc25) and gamin-server (OpenSuSE13.2) with gam_server into /usr/libexec) or remove it (like in OpenSuSE, where gamin is not offered), that might has to do with it and never connect to the ISP (Internet Service Provider) using the NetworkManager (el6) together with networkmanager-applet (mdv2010.2), but through "ifup eth0" by surfuser (but without naming surfgroup) instead, maybe out of the K-Menu, in the case of Konqueror for example set:

renice -n 18 ´pidof konqueror´

that means for surfuser joining surfgroup in order to start konqueror after the login to surfuser:

"knemo && sg surfgroup konqueror && renice -n 18 ´pidof konqueror´ && kded4"

rpm-description: "Run command in restricted environment. Chrootuid makes it easy to run a network service at low privilege level and with restricted file system access. At Eindhoven University, they use this program to run the gopher and www (world-wide web) network daemons in a minimal environment: The daemons have access only to their own directory tree, and run under a low-privileged userid. The arrangement greatly reduces the impact of possible loopholes in daemon software."

OK Or additionally on the base of the suid-sandboxfirejail (ram80:, rosa2014.1, rosa2016.1, pclos2017 or for all programs online and untrusted (following the includes, that might be some, we chose firejail for quit all), one more program for mdv2010.2 or el6 from rosa2014.1, that you also can download from here:

firejail-0.9.52-1pclos2017.x86_64.rpm (from December 2017, vendor:none,
or download firejail pclos2017 preconfigured by us for firefox, Konqueror and kmail and so on from our update-section preconfigured by us for firejail-0.9.52-1.

"knemo && sg surfgroup "firejail --private=/home/surfuser konqueror" && renice -n 18 ´pidof konqueror´ && kded4"

or, enhanced with option --profile:

"knemo && sg surfgroup "unshare firejail --nice=18 --profile=/etc/firejail/konqueror.profile --private=/home/surfuser konqueror" && kded4"

This call seems to get quit long, so for a start with priority 18 from -20 up to 20 by a single (or double) mouseclick do not forget to add an this command into the belonging entry for konqueror within the k-menu, on the desktop or in the quick-starter of the taskline. For shell-scripts this can be done by "xterm -e /path_to/" resp. "konsole -e /path_to/"

Linux namespaces sandbox program firejail,
"Firejail is a SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table.
Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x (and 5.4.110 with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos, mga6) resp., com., Gooken) kernel version or newer. The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer.
Firejail can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes security profiles for a large number of Linux programs: Mozilla Firefox, Chromium, VLC, Transmission etc."

OK Firejail is a SUID sandbox program, that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces.

firejail - version 0.9.48

-- - signal the end of options and disables further option processing.
--allow-debuggers - allow tools such as strace and gdb inside the sandbox.
OK--allow-private-blacklist - allow blacklisting files in private
home directories.
--allusers - all user home directories are visible inside the sandbox.
--apparmor - enable AppArmor confinement.
--appimage - sandbox an AppImage application.
--audit[=test-program] - audit the sandbox.
--bandwidth=name|pid - set bandwidth limits.
--bind=dirname1,dirname2 - mount-bind dirname1 on top of dirname2.
--bind=filename1,filename2 - mount-bind filename1 on top of filename2.
--blacklist=filename - blacklist directory or file.
-c - execute command and exit.
--caps - enable default Linux capabilities filter.
OK--caps.drop=all - drop all capabilities.
--caps.drop=capability,capability - blacklist capabilities filter.
--caps.keep=capability,capability - whitelist capabilities filter.
--caps.print=name|pid - print the caps filter.
--cgroup=tasks-file - place the sandbox in the specified control group.
--chroot=dirname - chroot into directory.
--cpu=cpu-number,cpu-number - set cpu affinity.
--cpu.print=name|pid - print the cpus in use.
--csh - use /bin/csh as default shell.
--debug - print sandbox debug messages.
--debug-blacklists - debug blacklisting.
--debug-caps - print all recognized capabilities.
--debug-check-filename - debug filename checking.
--debug-errnos - print all recognized error numbers.
--debug-protocols - print all recognized protocols.
--debug-syscalls - print all recognized system calls.
--debug-whitelists - debug whitelisting.
--defaultgw=address - configure default gateway.
OK--dns=address - set DNS server.
--dns.print=name|pid - print DNS configuration.
--env=name=value - set environment variable.
--force - attempt to start a new sandbox inside the existing sandbox.
--fs.print=name|pid - print the filesystem log.
--get=name|pid filename - get a file from sandbox container.
--help, -? - this help screen.
--hostname=name - set sandbox hostname.
--hosts-file=file - use file as /etc/hosts.
--ignore=command - ignore command in profile files.
--interface=name - move interface in sandbox.
OK--ip=address - set interface IP address.
--ip=none - no IP address and no default gateway are configured.
--ip6=address - set interface IPv6 address.
--iprange=address,address - configure an IP address in this range.
OK--ipc-namespace - enable a new IPC namespace.
--join=name|pid - join the sandbox.
--join-filesystem=name|pid - join the mount namespace.
--join-network=name|pid - join the network namespace.
--join-or-start=name|pid - join the sandbox or start a new one.
--list - list all sandboxes.
--ls=name|pid dir_or_filename - list files in sandbox container.
--mac=xx:xx:xx:xx:xx:xx - set interface MAC address.
--machine-id - preserve /etc/machine-id
--mtu=number - set interface MTU.
--name=name - set sandbox name.
--net=bridgename - enable network namespaces and connect to this bridge.
OK--net=ethernet_interface - enable network namespaces and connect to this Ethernet interface.
--net=none - enable a new, unconnected network namespace.
OK--netfilter[=filename] - enable the default client network filter.
--netfilter6=filename - enable the IPv6 network filter.
OK--netns=name - Run the program in a named, persistent network namespace.
--netstats - monitor network statistics.
OK--nice=value - set nice value.
OK--no3d - disable 3D hardware acceleration.
OK--noblacklist=filename - disable blacklist for file or directory .
OK--noexec=filename - remount the file or directory noexec nosuid and nodev.
OK--nogroups - disable supplementary groups.
OK--nonewprivs - sets the NO_NEW_PRIVS prctl.
--noprofile - do not use a security profile.
OK--nosound - disable sound system.
OK --novideo - disable video devices.
OK--nowhitelist=filename - disable whitelist for file or directory .
--output=logfile - stdout logging and log rotation.
--overlay - mount a filesystem overlay on top of the current filesystem.
--overlay-named=name - mount a filesystem overlay on top of the current filesystem, and store it in name directory.
--overlay-tmpfs - mount a temporary filesystem overlay on top of the current filesystem.
--overlay-clean - clean all overlays stored in $HOME/.firejail directory.
OK--private - temporary home directory.
OK--private=directory - use directory as user home.
OK --private-home=file,directory - build a new user home in a temporary
filesystem, and copy the files and directories in the list in the new home.
OK--private-bin=file,file - build a new /bin in a temporary filesystem and copy the programs in the list.
OK--private-dev - create a new /dev directory. Only dri, null, full, zero,tty, pst, ptms, random, snd, urandom, log and shm devices are available.
OK--private-etc=file,directory - build a new /etc in a temporary filesystem, and copy the files and directories in the list.
OK--private-tmp - mount a tmpfs on top of /tmp directory.
OK--private-opt=file,directory - build a new /opt in a temporary filesystem.
--profile=filename - use a custom profile.
--profile-path=directory - use this directory to look for profile files.
--protocol=protocol,protocol,protocol - enable protocol filter.
--protocol.print=name|pid - print the protocol filter.
--put=name|pid src-filename dest-filename - put a file in sandbox container.
--quiet - turn off Firejail´s output.
OK--read-only=filename - set directory or file read-only..
--read-write=filename - set directory or file read-write..
--rlimit-fsize=number - set the maximum file size that can be created by a process.
OK --rlimit-nofile=number - set the maximum number of files that can be opened by a process.
OK --rlimit-nproc=number - set the maximum number of processes that can be created for the real user ID of the calling process.
--rlimit-sigpending=number - set the maximum number of pending signals for a process.
OK--rmenv=name - remove environment variable in the new sandbox.
--scan - ARP-scan all the networks from inside a network namespace.
OK --seccomp - enable seccomp filter and apply the default blacklist.
Enable seccomp filter and blacklist the syscalls in the default list. The default list is as follows: mount, umount2, ptrace, kexec_load, kexec_file_load, open_by_handle_at, init_module, finit_module, delete_module, iopl, ioperm, swapon, swapoff, syslog, process_vm_readv, process_vm_writev, sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp, add_key, request_key, keyctl, uselib, acct, modify_ldt, pivot_root, io_setup, io_destroy, io_getevents, io_submit, io_cancel, remap_file_pages, mbind, get_mempolicy, set_mempolicy, migrate_pages, move_pages, vmsplice, perf_event_open and chroot.
Enable seccomp filter, blacklist the default list and the syscalls specified by the command.
Example: firejail --seccomp=utime,utimensat,utimes firefox
Enable seccomp filter, and blacklist the syscalls specified by the command.
Example: firejail --seccomp.drop=utime,utimensat,utimes
--seccomp.keep=syscall,syscall,syscall - enable seccomp filter, and whitelist the syscalls specified by the command.
--seccomp.<errno>=syscall,syscall,syscall - enable seccomp filter, and return errno for the syscalls specified by the command.
--seccomp.print=name|pid - print the seccomp filter for the sandbox identified by name or PID.
OK--shell=none- run the program directly without a user shell.
--shell=program - set default user shell.
--shutdown=name|pid - shutdown the sandbox identified by name or PID.
--tmpfs=dirname - mount a tmpfs filesystem on directory dirname.
--top - monitor the most CPU-intensive sandboxes.
--trace - trace open, access and connect system calls.
--tracelog - add a syslog message for every access to files or directories blacklisted by the security profile.
--tree - print a tree of all sandboxed processes.
--version - print program version and exit.
--veth-name=name - use this name for the interface connected to the bridge.
--whitelist=filename - whitelist directory or file.
--writable-etc - /etc directory is mounted read-write.
--writable-var - /var directory is mounted read-write.
--writable-var-log - use the real /var/log directory, not a clone.
OK --x11 - enable X11 sandboxing. The software checks first if Xpra is installed, then it checks if Xephyr is installed. If all fails, it will attempt to use X11 security extension.
--x11=none - disable access to X11 sockets.
--x11=xephyr - enable Xephyr X11 server. The window size is 800x600.
OK--x11=xorg - enable X11 security extension.
--x11=xpra - enable Xpra X11 server.
--x11=xvfb - enable Xvfb X11 server.
--zsh - use /usr/bin/zsh as default shell.

$ firejail firefox
start Mozilla Firefox
$ firejail --debug firefox
debug Firefox sandbox
$ firejail --private --sna= firefox
start Firefox with a new, empty home directory, and a well-known DNS-server setting.
$ firejail --net=eth0 firefox
start Firefox in a new network namespace
$ firejail --x11=xorg firefox
start Firefox and sandbox X11
$ firejail --list
list all running sandboxes

License GPL version 2 or later

"Mit Firejail lässt sich das Risiko erheblich reduzieren, das von bis dato ungepatchten Sicherheitslücken in Programmen ausgeht.",

Firejail has got two very interesting options: --profile, what is done with default.profile by default as much as one profile for each program resp. process out of a hugh amount from /etc/firejail and --private. Last one completes the sandbox in a whole. Refering to linfw3, for still blocking all trojans resp. backdoors, use the already listed firejail-option --profile=/home/surfuser, especially the pregiven (and already listed) profiles.

Resign from firejail, if firefox does not work correctly, until firejail gets reconfigured well enough !

"SECure COMPuting with filters (like seccomp within firejail)
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. As system calls change and mature, bugs are found and eradicated. A certain subset of userland applications benefit by having a reduced set of available system calls. The resulting set reduces the total kernel surface exposed to the application. System call filtering is meant for use with those applications.
Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The filter is expressed as a Berkeley Packet Filter (BPF) program, as with socket filters, except that the data operated on is related to the system call being made: system call number and the system call arguments. This allows for expressive filtering of system calls using a filter program language with a long history of being exposed to userland and a straightforward data set.
Additionally, BPF makes it impossible for users of seccomp to fall prey to time-of-check-time-of-use (TOCTOU) attacks that are common in system call interposition frameworks. BPF programs may not dereference pointers which constrains all filters to solely evaluating the system call arguments directly.
What it isn´t
System call filtering isn´t a sandbox.It provides a clearly defined mechanism for minimizing the exposed kernel surface. It is meant to be a tool for sandbox developers to use. Beyond that, policy for logical behavior and information flow should be managed with a combination of other system hardening techniques and, potentially, an LSM of your choosing. Expressive, dynamic filters provide further options down this path (avoiding pathological sizes or selecting which of the multiplexed system calls in socketcall() is allowed, for instance) which could be construed, incorrectly, as a more complete sandboxing solution.
An additional seccomp mode is added and is enabled using the same prctl(2) call as the strict seccomp. If the architecture has CONFIG_HAVE_ARCH_SECCOMP_FILTER, then filters may be added as below:

Firefox mit Tor:

sg surfgroup "unshare firejail --nice=19 --profile=/etc/firejail/firefox.profile /usr/lib64/firefox/firefox --no-remote &" && sg surfgroup "unshare firejail --nice=19 --profile=/etc/firejail/tor.profile tor -f /home/surfuser/torrc" && export RESOLV_HOST_CONF="/etc/hosts"

with default-firefox.profile like default.profile, but without blacklist /home/surfuser/.mozilla and /home/surfuser/.cache (commented in with "#").

Option tor: is used for the anonymizing TorDNS as the remote-DNS-server, what is introduced with Tor at the end of this excurs.

Following the many profile-files in /etc/firejail, the in comparison to sandbox docker-io easy-to-handle Firejail is recommended for all programs resp. processes online and you might not trust like webserver, server, dolphin (what causes a intern restricted bash, so that you should resign from it as much as for quit all processes online. Have a brief look into the configuration file of firejail in /etc/firejail too: many of them refer to single processes resp. programs, some like files named disable*.inc refer to more than it. There, encrypted partitions and directories including sub-directories (blacklist /mnt/) and USB-sticks (blacklist /media/ resp. blacklist /media/directory_for_the_usb-stick) can be secured once more too as much as the block of the intern start of bash-commands refering to outside of private and so on. Now everything online runs not only "two and three times more secure" but even much faster than already fast !

Firejail-options for *.inc-files within /etc/firejail/ :
caps.drop all
protocol unix,inet,inet6
OKshell none
private-etc passwd,group,hostname,hosts,resolv.conf,nsswitch.conf,fonts,mailcap,pulse
# ... not all firejail-options should be activated, in order to avoid capacity- and serious hard system-errors!

To the profiles of actual firejail 0.9.48-1.pcclos2017 in /etc/firejail, that is provided preconfigured by us (Gooken) to get downloaded from our section for updates, belong (description see "man firejail")

140 25. Jun 14:30 7z.profile
1225 25. Jun 14:30 abrowser.profile
704 20. Mai 23:55 akregator.profile
489 25. Jun 14:30 amarok.profile
568 20. Mai 23:55 arduino.profile
499 25. Jun 14:30 ark.profile
347 25. Jun 14:30 atom-beta.profile
342 25. Jun 14:30 atom.profile

535 25. Jun 14:30 atool.profile

410 25. Jun 14:30 atril.profile

267 25. Jun 14:30 audacious.profile
357 25. Jun 14:30 audacity.profile
458 25. Jun 14:30 aweather.profile
1742 20. Mai 23:55 baloo_file.profile
785 20. Mai 23:55 bibletime.profile
271 25. Jun 14:30 bitlbee.profile
488 25. Jun 14:30 bleachbit.profile
488 8. Mai 23:07 bleachbit.profile
595 20. Mai 23:55 blender.profile
492 25. Jun 14:30 bless.profile
492 8. Mai 23:07 bless.profile
535 25. Jun 14:30 brasero.profile
535 8. Mai 23:07 brasero.profile
338 25. Jun 14:30 brave.profile
878 20. Mai 23:55 caja.profile
407 25. Jun 14:30 cherrytree.profile
66 25. Jun 14:30 chromium-browser.profile
695 25. Jun 14:30 chromium.profile
393 25. Jun 14:30 claws-mail.profile
268 25. Jun 14:30 clementine.profile
598 20. Mai 23:55 clipit.profile
340 25. Jun 14:30 cmus.profile
564 25. Jun 14:30 conkeror.profile
262 25. Jun 14:30 corebird.profile
379 25. Jun 14:30 cpio.profile
178 25. Jun 14:30 cryptocat.profile
524 20. Mai 23:55 Cryptocat.profile
582 25. Jun 14:30 cvlc.profile
99 25. Jun 14:30 cyberfox.profile
245 20. Mai 23:55 Cyberfox.profile
304 25. Jun 14:30 deadbeef.profile
366 25. Jun 14:30 default0.profile
366 25. Jun 14:30 default2.profile
607 25. Jun 14:30 default-firefox.profile
371 25. Jun 14:30 default-gftp.profile
367 25. Jun 14:30 default.profile
397 25. Jun 14:30 deluge.profile
526 20. Mai 23:55 dia.profile
450 25. Jun 14:30 dillo.profile
755 20. Mai 23:55 dino.profile
4812 25. Jun 14:30
7239 25. Jun 14:30
3788 25. Jun 14:30
3788 11. Mai 15:08
7239 25. Jun 14:30
91 25. Jun 14:30
1470 25. Jun 14:30
725 25. Jun 14:30
187 25. Jun 14:30
567 25. Jun 14:30
4949 25. Jun 14:30
538 25. Jun 14:30 display.profile
770 25. Jun 14:30 dnscrypt-proxy.profile
327 25. Jun 14:30 dnsmasq.profile
831 25. Jun 14:30 dolphin.profile
831 8. Mai 23:07 dolphin.profile
370 25. Jun 14:30 dosbox.profile
529 25. Jun 14:30 dragon.profile
448 25. Jun 14:30 dropbox.profile
562 25. Jun 14:30 elinks.profile
276 25. Jun 14:30 emacs.profile
229 25. Jun 14:30 empathy.profile
535 25. Jun 14:30 enchant.profile
505 25. Jun 14:30 engrampa.profile
376 25. Jun 14:30 eog.profile
374 25. Jun 14:30 eom.profile
609 25. Jun 14:30 epiphany.profile
356 25. Jun 14:30 evince.profile
476 25. Jun 14:30 evolution.profile
630 25. Jun 14:30 exiftool.profile
402 25. Jun 14:30 fbreader.profile
367 25. Jun 14:30 feh.profile
223 25. Jun 14:30 file.profile
514 25. Jun 14:30 file-roller.profile
553 20. Mai 23:55 filezilla.profile
230 20. Mai 23:55 firefox-esr.profile
1819 20. Mai 23:55 firefox.profile
2985 25. Jun 14:30 firejail.config 898 25. Jun 14:30 flashpeak-slimjet.profile
300 25. Jun 14:30 flowblade.profile
544 20. Mai 23:55 fontforge.profile
429 25. Jun 14:30 fossamail.profile
220 20. Mai 23:55 FossaMail.profile
481 25. Jun 14:30 franz.profile
817 25. Jun 14:30 gajim.profile
601 20. Mai 23:55 galculator.profile
543 20. Mai 23:55 geany.profile
621 25. Jun 14:30 gedit.profile
582 25. Jun 14:30 geeqie.profile
36 20. Mai 23:55 gimp-2.8.profile
295 25. Jun 14:30 gimp.profile
418 25. Jun 14:30 git.profile
383 25. Jun 14:30 gitter.profile
833 25. Jun 14:30 gjs.profile
555 20. Mai 23:55 globaltime.profile
653 25. Jun 14:30 gnome-2048.profile
654 25. Jun 14:30 gnome-books.profile
503 25. Jun 14:30 gnome-calculator.profile
431 25. Jun 14:30 gnome-chess.profile
526 25. Jun 14:30 gnome-clocks.profile
499 25. Jun 14:30 gnome-contacts.profile
612 25. Jun 14:30 gnome-documents.profile
543 20. Mai 23:55 gnome-font-viewer.profile
627 25. Jun 14:30 gnome-maps.profile
627 8. Mai 23:07 gnome-maps.profile
329 25. Jun 14:30 gnome-mplayer.profile
552 25. Jun 14:30 gnome-music.profile
663 25. Jun 14:30 gnome-photos.profile
669 25. Jun 14:30 gnome-weather.profile
493 25. Jun 14:30 goobox.profile
704 25. Jun 14:30 google-chrome-beta.profile
670 25. Jun 14:30 google-chrome.profile
76 25. Jun 14:30 google-chrome-stable.profile
732 25. Jun 14:30 google-chrome-unstable.profile
452 25. Jun 14:30 google-play-music-desktop-player.profile
493 25. Jun 14:30 gpa.profile
542 25. Jun 14:30 gpg-agent.profile
530 25. Jun 14:30 gpg.profile
543 25. Jun 14:30 gpicview.profile
458 25. Jun 14:30 gpredict.profile
55 25. Jun 14:30 gtar.profile
370 25. Jun 14:30 gthumb.profile
501 25. Jun 14:30 guayadeque.profile
535 20. Mai 23:55 gucharmap.profile
424 25. Jun 14:30 gwenview.profile
153 25. Jun 14:30 gzip.profile
425 25. Jun 14:30 hedgewars.profile
632 25. Jun 14:30 hexchat.profile
546 25. Jun 14:30 highlight.profile
544 20. Mai 23:55 hugin.profile
1224 25. Jun 14:30 icecat.profile
445 25. Jun 14:30 icedove.profile
99 25. Jun 14:30 iceweasel.profile
508 25. Jun 14:30 img2txt.profile
302 25. Jun 14:30 inkscape.profile
509 25. Jun 14:30 inox.profile
192 25. Jun 14:30 iridium-browser.profile
631 25. Jun 14:30 iridium.profile
479 25. Jun 14:30 jd-gui.profile
479 8. Mai 23:07 jd-gui.profile
326 25. Jun 14:30 jitsi.profile
475 25. Jun 14:30 k3b.profile
475 8. Mai 23:07 k3b.profile
700 25. Jun 14:30 kate.profile
617 20. Mai 23:55 kcalc.profile
219 25. Jun 14:30 keepass2.profile
400 25. Jun 14:30 keepass.profile
630 25. Jun 14:30 keepassx2.profile
630 8. Mai 23:07 keepassx2.profile
673 25. Jun 14:30 keepassxc.profile
673 8. Mai 23:07 keepassxc.profile
427 25. Jun 14:30 keepassx.profile
665 25. Jun 14:30 kino.profile
665 8. Mai 23:07 kino.profile
356 25. Jun 14:30 kmail.profile
356 21. Apr 13:50 kmail.profile
526 20. Mai 23:55 knotes.profile
545 20. Mai 23:55 kodi.profile
288 25. Jun 14:30 konversation.profile
709 20. Mai 23:55 ktorrent.profile
558 20. Mai 23:55 leafpad.profile
122 25. Jun 14:30 less.profile
400 25. Jun 14:30 libreoffice.profile
131 25. Jun 14:30 localc.profile
131 25. Jun 14:30 lodraw.profile
131 25. Jun 14:30 loffice.profile
131 25. Jun 14:30 lofromtemplate.profile
345 25. Jun 14:30 login.users 131 25. Jun 14:30 loimpress.profile
506 25. Jun 14:30 lollypop.profile
506 8. Mai 23:07 lollypop.profile
131 25. Jun 14:30 lomath.profile
131 25. Jun 14:30 loweb.profile
131 25. Jun 14:30 lowriter.profile
349 25. Jun 14:30 luminance-hdr.profile
556 20. Mai 23:55 lximage-qt.profile
579 20. Mai 23:55 lxmusic.profile
263 25. Jun 14:30 lxterminal.profile
533 25. Jun 14:30 lynx.profile
562 20. Mai 23:55 mate-calc.profile
42 20. Mai 23:55 mate-calculator.profile
533 20. Mai 23:55 mate-color-select.profile
579 20. Mai 23:55 mate-dictionary.profile
213 20. Mai 23:55 mathematica.profile
491 25. Jun 14:30 Mathematica.profile
213 8. Mai 23:07 mathematica.profile
387 25. Jun 14:30 mcabber.profile
545 25. Jun 14:30 mediainfo.profile
533 25. Jun 14:30 mediathekview.profile
551 20. Mai 23:55 meld.profile
301 25. Jun 14:30 midori.profile
526 25. Jun 14:30 mousepad.profile
363 25. Jun 14:30 mpv.profile
717 25. Jun 14:30 multimc5.profile
717 8. Mai 23:07 multimc5.profile
734 25. Jun 14:30 mumble.profile
734 8. Mai 23:07 mumble.profile
890 25. Jun 14:30 mupdf.profile
514 25. Jun 14:30 mupen64plus.profile
774 25. Jun 14:30 mutt.profile
859 25. Jun 14:30 nautilus.profile
859 8. Mai 23:07 nautilus.profile
674 20. Mai 23:55 nemo.profile
658 25. Jun 14:30 netsurf.profile
774 25. Jun 14:30 652 20. Mai 23:55 nylas.profile
554 25. Jun 14:30 odt2txt.profile
542 25. Jun 14:30 okular.profile
284 25. Jun 14:30 openbox.profile
294 25. Jun 14:30 openshot.profile
591 25. Jun 14:30 opera-beta.profile
611 25. Jun 14:30 opera.profile
584 20. Mai 23:55 orage.profile
1601 25. Jun 14:30 palemoon.profile
371 25. Jun 14:30 parole.profile
660 20. Mai 23:55 pcmanfm.profile
439 25. Jun 14:30 pdfsam.profile
439 8. Mai 23:07 pdfsam.profile
541 25. Jun 14:30 pdftotext.profile
363 25. Jun 14:30 pidgin.profile
483 25. Jun 14:30 pithos.profile
483 8. Mai 23:07 pithos.profile
412 25. Jun 14:30 pix.profile
503 25. Jun 14:30 pluma.profile
707 25. Jun 14:30 polari.profile
507 25. Jun 14:30 psi-plus.profile
439 25. Jun 14:30 qbittorrent.profile
452 25. Jun 14:30 qemu-launcher.profile
418 25. Jun 14:30 qemu-system-x86_64.profile
560 20. Mai 23:55 qlipper.profile
405 25. Jun 14:30 qpdfview.profile
448 25. Jun 14:30 qtox.profile
222 25. Jun 14:30 quassel.profile
626 25. Jun 14:30 quiterss.profile
813 25. Jun 14:30 qupzilla.profile
533 25. Jun 14:30 qutebrowser.profile
426 25. Jun 14:30 ranger.profile
353 25. Jun 14:30 rhythmbox.profile
574 20. Mai 23:55 ristretto.profile
360 25. Jun 14:30 rtorrent.profile
885 25. Jun 14:30 scribus.profile
885 8. Mai 23:07 scribus.profile
100 25. Jun 14:30 seamonkey-bin.profile
1293 25. Jun 14:30 seamonkey.profile
355 25. Jun 14:30 server.profile
562 25. Jun 14:30 simple-scan.profile
506 25. Jun 14:30 skanlite.profile
267 25. Jun 14:30 skypeforlinux.profile
243 25. Jun 14:30 skype.profile
624 25. Jun 14:30 slack.profile
349 25. Jun 14:30 snap.profile
131 25. Jun 14:30 soffice.profile
844 25. Jun 14:30 spotify.profile
464 25. Jun 14:30 ssh-agent.profile
287 25. Jun 14:30 ssh.profile
603 25. Jun 14:30 start-tor-browser.profile
386 25. Jun 14:30 steam.profile
546 25. Jun 14:30 stellarium.profile
126 25. Jun 14:30 strings.profile
322 25. Jun 14:30 synfigstudio.profile
301 25. Jun 14:30 tar.profile
62 25. Jun 14:30 telegram.profile
208 20. Mai 23:55 Telegram.profile
62 12. Apr 20:18 telegram.profile
208 8. Mai 23:07 Telegram.profile
37 25. Jun 14:30 thunar.profile
725 20. Mai 23:55 Thunar.profile
540 8. Mai 23:07 Thunar.profile
446 25. Jun 14:30 thunderbird.profile
335 25. Jun 14:30 totem.profile
628 25. Jun 14:30 tracker.profile
618 25. Jun 14:30 transmission-cli.profile
460 25. Jun 14:30 transmission-gtk.profile
457 25. Jun 14:30 transmission-qt.profile
591 25. Jun 14:30 transmission-show.profile
441 25. Jun 14:30 uget-gtk.profile
780 25. Jun 14:30 unbound.profile
235 25. Jun 14:30 unrar.profile
223 25. Jun 14:30 unzip.profile
223 25. Jun 14:30 uudeview.profile
702 25. Jun 14:30 uzbl-browser.profile
609 20. Mai 23:55 viewnior.profile
581 20. Mai 23:55 viking.profile
292 25. Jun 14:30 vim.profile
273 25. Jun 14:30 virtualbox.profile
189 20. Mai 23:55 VirtualBox.profile
69 25. Jun 14:30 vivaldi-beta.profile
540 25. Jun 14:30 vivaldi.profile
534 25. Jun 14:30 vivaldi-stable.profile
398 25. Jun 14:30 vlc.profile
547 25. Jun 14:30 w3m.profile
521 25. Jun 14:30 warzone2100.profile
992 25. Jun 14:30 69 25. Jun 14:30 weechat-curses.profile
408 25. Jun 14:30 weechat.profile
689 25. Jun 14:30 wesnoth.profile
497 25. Jun 14:30 wget.profile
497 8. Mai 23:07 wget.profile
746 25. Jun 14:30
284 25. Jun 14:30 wine.profile
676 20. Mai 23:55 wire.profile
203 25. Jun 14:30 Wire.profile
609 25. Jun 14:30 wireshark.profile
609 8. Mai 23:07 wireshark.profile
288 25. Jun 14:30 xchat.profile
497 25. Jun 14:30 xed.profile
922 20. Mai 23:55 Xephyr.profile
531 25. Jun 14:30 xfburn.profile
555 20. Mai 23:55 xfce4-dict.profile
657 20. Mai 23:55 xfce4-notes.profile
676 25. Jun 14:30 xiphos.profile
487 25. Jun 14:30 xmms.profile
225 25. Jun 14:30 xonotic-glx.profile
602 25. Jun 14:30 xonotic.profile
602 8. Mai 23:07 xonotic.profile
225 25. Jun 14:30 xonotic-sdl.profile
352 25. Jun 14:30 xpdf.profile
450 25. Jun 14:30 xplayer.profile
512 25. Jun 14:30 xpra.profile
512 8. Mai 23:07 xpra.profile
450 25. Jun 14:30 xreader.profile
1128 20. Mai 23:55 Xvfb.profile
336 25. Jun 14:30 xviewer.profile
154 25. Jun 14:30 xzdec.profile
54 25. Jun 14:30 xz.profile
530 20. Mai 23:55 youtube-dl.profile
393 25. Jun 14:30 zathura.profile
470 25. Jun 14:30 zoom.profile

# For Pale Moon and Tor
# Generic GUI application profile
include /etc/firejail/
include /etc/firejail/
include /etc/firejail/
noblacklist /usr/bin/palemoon
noblacklist /usr/bin/tor
noblacklist ${HOME}/.moon*
noblacklist ${HOME}/keys
noblacklist ${HOME}/lock
noblacklist ${HOME}/state
noblacklist ${HOME}/cached*
noblacklist ${HOME}/ca-bundle.crt
noblacklist ${HOME}/.thumbnails
noblacklist ${HOME}/cache
noblacklist ${HOME}/control_auth_cookie
read-only ${HOME}/geoip
read-only ${HOME}/geoip6
read-only ${HOME}/torrc
read-only ${HOME}/.pale*/moon*/profile.yourprofile/user.js
noblacklist ${HOME}/tmp
blacklist ${HOME}/.local
blacklist ${HOME}/.pulse
blacklist ${HOME}/.kde
blacklist ${HOME}/.kde4
blacklist ${HOME}/.gftp
blacklist ${HOME}/.config
blacklist ${HOME}/.pki
blacklist ${HOME}/.mcop
blacklist ${HOME}/.fontconfig
blacklist ${HOME}/.dbus
blacklist ${HOME}/.bash*
blacklist ${HOME}/.abrt
blacklist ${HOME}/.gconf*
blacklist ${HOME}/.xsession-errors
blacklist ${HOME}/.profile
blacklist ${HOME}/Desktop
blacklist ${HOME}/.mozilla
blacklist ${HOME}/.wine
blacklist ${HOME}/.gnupg
blacklist ${HOME}/.mozilla
blacklist /usr/lib/perl*
blacklist /usr/lib64/perl*
blacklist /etc/shadow
blacklist /etc/shadow-
blacklist /usr/src
blacklist /usr/games
blacklist /etc/init.d
blacklist /etc/rc0.d
blacklist /etc/rc1.d
blacklist /etc/rc2.d
blacklist /etc/rc3.d
blacklist /etc/rc4.d
blacklist /etc/rc5.d
blacklist /etc/rc6.d
blacklist /usr/local
blacklist /etc/rc.d
blacklist /etc/fstab
blacklist /etc/mtab
blacklist /etc/crypttab
blacklist /etc/shadow
blacklist /etc/shadow-
blacklist /etc/passwd
blacklist /boot
blacklist /usr/bin/*
blacklist /bin/*
caps.drop all
protocol unix,inet,netlink
shell none
#private-bin which,firefox
private-etc passwd,group,hostname,hosts,fonts,nsswitch.conf,xdg,resolv.conf,pango

OK/etc/firejail/firefox.profile (extraction):
# This file is overwritten during software install.
# Persistent customizations should go in a .local file.
include /etc/firejail/firefox.local
# Firejail profile for Mozilla Firefox (Iceweasel in Debian)
noblacklist ~/.mozilla
noblacklist ~/.cache/mozilla
blacklist ~/.config/qpdfview
blacklist ~/.local/share/qpdfview
blacklist ~/.pki
blacklist /usr/bin
blacklist /usr/sbin
blacklist /usr/src
blacklist /opt
blacklist /sbin
blacklist /usr/libexec
blacklist /bin
blacklist /usr/games
blacklist /etc/init.d
blacklist /etc/rc0.d
blacklist /etc/rc1.d
blacklist /etc/rc2.d
blacklist /etc/rc3.d
blacklist /etc/rc4.d
blacklist /etc/rc5.d
blacklist /etc/rc6.d
blacklist /etc/rc.d
blacklist /etc/fstab
blacklist /etc/mtab
blacklist /etc/crypttab
blacklist /etc/shadow
blacklist /etc/shadow-
blacklist /etc/passwd
blacklist /boot
blacklist /usr/local
blacklist ~./kde4
blacklist ~./config
blacklist ~./gconf
blacklist ~./gconfd
blacklist ~./local
blacklist ~./mcop
blacklist ~./pulse-cookie
blacklist ~./thumbnails
blacklist ~./Desktop
blacklist /home/secret
blacklist /home/toranonym
blacklist /media
blacklist /mnt
noblacklist /usr/bin/xargs
noblacklist /usr/bin/xauth
noblacklist /usr/bin/export
noblacklist /usr/bin/firefox
noblacklist /usr/bin/sg
noblacklist /usr/bin/gftp
noblacklist /usr/bin/gftp-gtk
noblacklist /usr/bin/gftp-text
noblacklist /usr/bin/tor
noblacklist /bin/certtool
noblacklist /bin/certutil
noblacklist /bin/basename
noblacklist /bin/bash.old
noblacklist /bin/p11tool
noblacklist /bin/pk12util
noblacklist /bin/smime
noblacklist /bin/shlibsign
noblacklist /bin/signtool
noblacklist /bin/signver
noblacklist /bin/ssltap
read-only /home/surfuser/.mozilla/firefox/default.profile/user.js read-only /home/surfuser/torrc read-only /home/surfuser/.mozilla/firefox/prefs.js #blacklist ~/."moonchild productions" include /etc/firejail/ include /etc/firejail/ include /etc/firejail/ OKcaps.drop all
OKprotocol unix,inet,netlink
OKshell none
# tracelog
# ... see firejail --help, BEACHTE: Nicht alle Firejail-Optionen funktionieren für Firefox! mkdir ~/.mozilla
whitelist ~/.mozilla
mkdir ~/.cache/mozilla/firefox
whitelist ~/.cache/mozilla/firefox
whitelist ~/dwhelper
mkdir ~/.pki
whitelist ~/.pki
disable-mnt # or use blacklist /mnt and blacklist /media

private-dev # This might not always work with firefox
# experimental features
# private-bin sh,which,env,dbus-send,dbus-launch
# private-etc passwd,group,hostname,hosts,localtime,nsswitch.conf,resolv.conf,xdg,pango,fonts,firefox,mime.types,mailcap,asound.conf,pulse
private-etc passwd,group,hostname,hosts,resolv.conf,nsswitch.conf,fonts,mailcap,pulse
# private-dev # - prevents video calls going out
noexec ${HOME}
noexec /tmp
noexec /tmp2

... or, in order to start konqueror with priority 18 always by mouseclick out of the K-menu, type "sg surfgroup konqueror && renice -n 18 ´pidof konqueror´ &&kded4" resp. with firejail-options into the command-line, after editing the K-menu with kmenuedit. Konqueror loads websites even with process-priority 18 fabolous fast (its like beaming to visit anything anywhere at once with a Spaceship like Enterprise thanks Spock, as if Google has not been there for a long time...). We also started services like the cookie-management for surfuser named kded4. On our linksites we describe by reports and links more enfastening methods for the browser Firefox.

Notice, that there is a patch for firejail (pclos2017) from year 2017/12 firejail-0.9.52-1.x86_64 making the private-option in all cases really effective. This means for our two examples for firejail for konqueror and firefox better to resign from this option for the first time, until firejail might gets reconfgured. To make firejail already work well without this option, we suggest the following configuration. Also notice, that it won´t fit for all programs (although quit all). In this case, single entries might have to be removed or added to store into new configuration files:

Pale Moon, notice: noscript and RequestBlockPolicyContinned do not block many scripts as they should do!

#### Especially for Pale Moon (browser):

blacklist /mnt
blacklist /media
blacklist /etc/cups
blacklist /usr/local
blacklist /usr/sbin
blacklist /sbin
blacklist /usr/libexec
blacklist /usr/games
blacklist /lib
blacklist /home/toruser
blacklist /home/user
blacklist /opt
blacklist /usr/lib
blacklist /usr/lib/python*
blacklist /usr/lib64/python*
blacklist /usr/lib/perl*
blacklist /usr/lib64/perl*
blacklist /etc/shadow
blacklist /etc/shadow-
blacklist ${HOME}/.wine
blacklist ${HOME}/.gnupg
caps.drop all
protocol unix,inet,inet6
OKshell none
#private-bin which,firefox
private-etc passwd,group,hostname,hosts,fonts,nsswitch.conf,xdg,resolv.conf,pango #
#### end Pale Moon (/etc/firejail/palemoon.profile)

OK/etc/firejail/default.profile (preconfigured firejail (fc27, pclos2017, rosa2016.1) from August 2017 can be downloaded from our update section):

# Generic GUI application profile
include /etc/firejail/
include /etc/firejail/
include /etc/firejail/
blacklist DOLLAR{HOME}/.wine
blacklist DOLLAR{HOME}/.gnupg
caps.drop all
# netfilter
protocol unix,inet,inet6
# seccomp

OKshell none # this is very important and suitable for many profiles, even konqueror, kmail and thunderbird, but not all profiles: also notice our comments about /etc/passwd

/etc/firejail/ of firejail (rosa2014.1), alternatively set ACL-rules (setfacl):

OKnoexec /usr/bin/bash # for some profiles like for Konqueror
noexec /bin/bash
# History files in HOME
blacklist-nolog DOLLAR{HOME}/.history
blacklist-nolog {HOME}/.*_history
blacklist {HOME}/.local/share/systemd
blacklist-nolog {HOME}/.adobe
blacklist-nolog {HOME}/.macromedia
read-only {HOME}/.local/share/applications

# X11 session autostart and more
blacklist DOLLAR{HOME}/Desktop
blacklist {HOME}/*.jar
blacklist {HOME}/logs
blacklist {HOME}/tor-browser
blacklist {HOME}/.xinitrc
blacklist {HOME}/.xprofile
blacklist {HOME}/.config/autostart
blacklist /etc/xdg/autostart
blacklist {HOME}/.kde4/Autostart
blacklist {HOME}/.kde4/share/autostart
blacklist {HOME}/.kde/Autostart
blacklist {HOME}/.kde/share/autostart
blacklist {HOME}/.config/plasma-workspace/shutdown
blacklist {HOME}/.config/plasma-workspace/env
blacklist {HOME}/.config/lxsession/LXDE/autostart
blacklist {HOME}/.fluxbox/startup
blacklist {HOME}/.config/openbox/autostart
blacklist {HOME}/.config/openbox/environment
blacklist {HOME}/.gnomerc
read-only /etc
read-only /bin
read-only /usr/bin
read-only /usr/etc
read-only /proc
read-only /sys
read-only /dev
blacklist /etc/X11/Xsession.d/
blacklist /media/ # USB-Sticks / USB-Speicherstifte
blacklist /media/sicher/
blacklist /mnt
blacklist /opt
blacklist /misc
blacklist /secoff
blacklist /sid-root
blacklist /lost+found
blacklist /smack
blacklist /srv
blacklist /net
blacklist /initrd
blacklist /intel-ucode
blacklist /boot-save
blacklist /boot
blacklist /cgroup
blacklist /root
read-only /lib
read-only /lib64
read-only /usr/lib
read-only /usr/lib64 # Firefox: "read-only /usr/lib64/lib*" or read-only /usr/lib64/a*, ..., read-only /usr/lib64/z* without the firefox-directory
read-only /usr/lib64/kde4
blacklist /usr/local
blacklist /usr/bin/ssh*
blacklist /usr/src
read-only /usr/bin/firejail
read-only /usr/ssl
read-only /usr/libexec
read-only /usr/uclibc
read-only /usr/X11R6
read-only /usr/x86_64-linux-uclibc
read-only /usr/etc
read-only /usr/com
read-only /usr/docs
read-only /usr/enthought
read-only /usr/GNUstep
read-only /usr/selenium
read-only /usr/man
read-only /usr/mipsel-linux
read-only /usr/i686-w64-mingw32
read-only /usr/i486-linux-libc5
blacklist /bin/kill
blacklist /bin/rm
blacklist /bin/ping
blacklist /bin/mount*
blacklist /bin/umount*
blacklist /bin/ls*
blacklist /bin/sed*
blacklist /bin/rpm
blacklist /bin/pipeline
blacklist /bin/mv
blacklist /bin/cp
blacklist /bin/csh
blacklist /bin/dd
blacklist /bin/chmod
blacklist /bin/chown
blacklist /bin/dash
blacklist /bin/df
blacklist /bin/dmesg
blacklist /bin/ed
blacklist /bin/find
blacklist /bin/grep
blacklist /bin/exec
blacklist /bin/gunzip
blacklist /bin/gzip
blacklist /bin/gzexe
blacklist /bin/ln
blacklist /bin/login
blacklist /bin/lsblk
blacklist /bin/mail
blacklist /bin/mailx
blacklist /bin/mkdir
blacklist /bin/mksh
blacklist /bin/mknod
blacklist /bin/netstat
# blacklist /bin/ps
blacklist /bin/pwd
blacklist /bin/pipeline
blacklist /bin/rmdir
blacklist /bin/tcsh
blacklist /bin/touch
blacklist /bin/vi
blacklist /bin/zsh
blacklist /bin/tar
blacklist /bin/zless
blacklist /bin/zmore
blacklist /bin/more
blacklist /bin/date
blacklist /bin/dmesg
blacklist /bin/ash
blacklist /bin/awk
blacklist /bin/cg*
blacklist /bin/cd
blacklist /bin/bashb*
blacklist /bin/cat
blacklist /bin/env
blacklist /bin/get*
blacklist /bin/for*
blacklist /bin/homeof
blacklist /bin/foreground
blacklist /usr/bin/rpm*
blacklist /usr/bin/srm
blacklist /usr/bin/shred
blacklist /usr/bin/wipe
blacklist /usr/bin/mount*
blacklist /usr/bin/umount*
blacklist /usr/bin/mouse*
blacklist /usr/bin/ls*
# blacklist /usr/bin/r*
# blacklist /usr/bin/a*
# blacklist /usr/bin/c*
# blacklist /usr/bin/e*
# blacklist /usr/bin/f*
# blacklist /usr/bin/h*
# blacklist /usr/bin/i*
# blacklist /usr/bin/j*
# blacklist /usr/bin/perl*
# blacklist /usr/bin/s*
# blacklist /usr/bin/t*
# blacklist /usr/bin/u*
# blacklist /usr/bin/v*
# blacklist /usr/bin/w*
# blacklist /usr/bin/x*
# blacklist /usr/bin/y*
# blacklist /usr/bin/z*
blacklist /usr/libexec/mysql*
blacklist /usr/bin/mysql*
blacklist /usr/share/autostart
read-only /usr/share/cups
read-only /usr/share/cups/model
blacklist /usr/share/doc
blacklist /var/www
blacklist /var/www/html

# VirtualBox blacklist DOLLAR{HOME}/.VirtualBox
blacklist DOLLAR{HOME}/VirtualBox VMs
blacklist DOLLAR{HOME}/.config/VirtualBox

# VeraCrypt
blacklist DOLLAR{PATH}/veracrypt
blacklist DOLLAR{PATH}/
blacklist /usr/share/veracrypt
blacklist /usr/share/applications/veracrypt.*
blacklist /usr/share/pixmaps/veracrypt.*
blacklist DOLLAR{HOME}/.VeraCrypt

# var
blacklist /var/spool/cron
blacklist /var/spool/anacron
blacklist /var/run/acpid.socket
blacklist /var/run/minissdpd.sock
blacklist /var/run/rpcbind.sock
blacklist /var/run/mysqld/mysqld.sock
blacklist /var/run/mysql/mysqld.sock
blacklist /var/lib/mysqld/mysql.sock
blacklist /var/lib/mysql/mysql.sock
blacklist /var/run/docker.sock

# etc
blacklist /etc/cron.*
blacklist /etc/profile.d
blacklist /etc/rc.local
blacklist /etc/anacrontab
blacklist /etc/rpc*
blacklist /etc/rpm*
blacklist /etc/rc*
blacklist /etc/init.d
read-only /etc/printcap
blacklist /etc/pmount*
read-only /etc/PolicyKit
read-only /etc/php.ini
read-only /etc/passwd
read-only /etc/paper*
blacklist /etc/mpasswd
blacklist /etc/modprobe*
blacklist /etc/mke2fs*
blacklist /etc/libuser.conf
blacklist /etc/libvirt
blacklist /etc/*
read-only /etc/kde
blacklist /etc/init*
blacklist /etc/incron*
blacklist /etc/resolv.conf
blacklist /etc/host*
blacklist /etc/gshadow*
blacklist /etc/fstab*
blacklist /etc/freshclam*
blacklist /etc/dracut*
read-only /etc/Dir_COLORS*
blacklist /etc/dhcp*
read-only /etc/cups
blacklist /etc/crypttab*
blacklist /etc/cron*
blacklist /etc/csh*
blacklist /etc/cvs*
blacklist /etc/cpu*
blacklist /etc/conntrackd.conf
blacklist /etc/color*
blacklist /etc/cloud
blacklist /etc/clam*
blacklist /etc/chrony*
blacklist /etc/chilli*
read-only /etc/bash*
blacklist /etc/at
blacklist /etc/asound*
blacklist /etc/aide*

# General startup files
read-only DOLLAR{HOME}/.xinitrc
read-only DOLLAR{HOME}/.xserverrc
read-only DOLLAR{HOME}/.profile

# Shell startup files
read-only DOLLAR{HOME}/.antigen
read-only DOLLAR{HOME}/.bash_login
read-only DOLLAR{HOME}/.bashrc
read-only DOLLAR{HOME}/.bash_profile
read-only DOLLAR{HOME}/.bash_logout
read-only DOLLAR{HOME}/.zsh.d
read-only DOLLAR{HOME}/.zshenv
read-only DOLLAR{HOME}/.zshrc
read-only DOLLAR{HOME}/.zshrc.local
read-only DOLLAR{HOME}/.zlogin
read-only DOLLAR{HOME}/.zprofile
read-only DOLLAR{HOME}/.zlogout
read-only DOLLAR{HOME}/.zsh_files
read-only DOLLAR{HOME}/.tcshrc
read-only DOLLAR{HOME}/.cshrc
read-only DOLLAR{HOME}/.csh_files
read-only DOLLAR{HOME}/.profile
read-only DOLLAR{HOME}/.gnugp*
read-only DOLLAR{HOME}/gnupg

# Initialization files that allow arbitrary command execution
read-only DOLLAR{HOME}/.caffrc
read-only DOLLAR{HOME}/.dotfiles
read-only DOLLAR{HOME}/dotfiles
read-only DOLLAR{HOME}/.mailcap
read-only DOLLAR{HOME}/.exrc
read-only DOLLAR{HOME}/_exrc
read-only DOLLAR{HOME}/.vimrc
read-only DOLLAR{HOME}/_vimrc
read-only DOLLAR{HOME}/.gvimrc
read-only DOLLAR{HOME}/_gvimrc
read-only DOLLAR{HOME}/.vim
read-only DOLLAR{HOME}/.emacs read-only DOLLAR{HOME}/.emacs.d

read-only DOLLAR{HOME}/.nano
read-only DOLLAR{HOME}/.tmux.conf
read-only DOLLAR{HOME}/.iscreenrc
read-only DOLLAR{HOME}/.muttrc
read-only DOLLAR{HOME}/.mutt/muttrc
read-only DOLLAR{HOME}/.msmtprc
read-only DOLLAR{HOME}/.reportbugrc
read-only DOLLAR{HOME}/.xmonad
read-only DOLLAR{HOME}/.xscreensaver
read-only /etc/X11
# The user ~/bin directory can override commands such as ls
read-only DOLLAR{HOME}/bin
# top user
blacklist DOLLAR{HOME}/.ssh
blacklist DOLLAR{HOME}/.cert
blacklist DOLLAR{HOME}/.gnome2/keyrings
blacklist DOLLAR{HOME}/.kde4/share/apps/kwallet
blacklist DOLLAR{HOME}/.kde/share/apps/kwallet
blacklist DOLLAR{HOME}/.local/share/kwalletd
blacklist DOLLAR{HOME}/.config/keybase
blacklist DOLLAR{HOME}/.netrc
blacklist DOLLAR{HOME}/.gnupg
blacklist DOLLAR{HOME}/.caff
blacklist DOLLAR{HOME}/.smbcredentials
blacklist DOLLAR{HOME}/*.kdbx
blacklist DOLLAR{HOME}/*.kdb
blacklist DOLLAR{HOME}/*.key
blacklist DOLLAR{HOME}/.muttrc
blacklist DOLLAR{HOME}/.mutt/muttrc
blacklist DOLLAR{HOME}/.msmtprc
blacklist /home/surfuser/.gnupg
blacklist /etc/shadow
blacklist /etc/gshadow
# blacklist /etc/passwd
blacklist /etc/passwd-
blacklist /etc/group-
blacklist /etc/shadow-
blacklist /etc/gshadow-
blacklist /etc/passwd+
blacklist /etc/group+
blacklist /etc/shadow+
blacklist /etc/gshadow+
blacklist /etc/ssh
blacklist /var/backup

# system management
blacklist DOLLAR{PATH}/umount
blacklist DOLLAR{PATH}/mount
blacklist DOLLAR{PATH}/fusermount
blacklist DOLLAR{PATH}/su
blacklist DOLLAR{PATH}/sudo
blacklist DOLLAR{PATH}/xinput
blacklist DOLLAR{PATH}/evtest
blacklist DOLLAR{PATH}/xev
blacklist DOLLAR{PATH}/strace
blacklist DOLLAR{PATH}/nc
blacklist DOLLAR{PATH}/ncat

# system directories
blacklist /sbin
blacklist /usr/sbin
blacklist /usr/local/sbin

# prevent lxterminal connecting to an existing lxterminal session
blacklist /tmp/.lxterminal-socket*

# disable terminals running as server resulting in sandbox escape
blacklist DOLLAR{PATH}/gnome-terminal
blacklist DOLLAR{PATH}/gnome-terminal.wrapper
blacklist DOLLAR{PATH}/xfce4-terminal
blacklist DOLLAR{PATH}/xfce4-terminal.wrapper
blacklist DOLLAR{PATH}/mate-terminal
blacklist DOLLAR{PATH}/mate-terminal.wrapper
blacklist DOLLAR{PATH}/lilyterm
blacklist DOLLAR{PATH}/pantheon-terminal
blacklist DOLLAR{PATH}/roxterm
blacklist DOLLAR{PATH}/roxterm-config
blacklist DOLLAR{PATH}/terminix
blacklist DOLLAR{PATH}/urxvtc
blacklist DOLLAR{PATH}/urxvtcd
blacklist DOLLAR{PATH}/xterm
blacklist DOLLAR{PATH}/konsole
blacklist DOLLAR{PATH}/rxvt
blacklist DOLLAR{PATH}/lxterminal
read-only /etc/firejail
blacklist /usr/bin/ssh*
blacklist /usr/bin/rlogin*
blacklist DOLLAR{HOME}/.gftp/cache
blacklist DOLLAR{HOME}/Dokumente
blacklist DOLLAR{HOME}/Video
blacklist DOLLAR{HOME}/Bilder
blacklist DOLLAR{HOME}/Audio
blacklist DOLLAR{HOME}/Texte

Now start Pale Moon (similar Firefox with default.profile instead of palemoon.profile):

knemo && sg surgruppe "unshare firejail --nice=19 --profile=/etc/firejail/palemoon.profile /usr/lib64/palemoon/palemoon --no-remote &" && sg surfgruppe "tor -f /etc/tor/torrc&quto; && export RESOLV_HOST_CONF="/etc/hosts"

It is possible to enter this command-line into a startup under "command." to start Pale Moon by one mouseclick only.

Small disadvantage: Process firejail for the browser has to be killed, before any package-installations are possible. Generally all processed started by the user surfuser can be terminated through the command "killall -u surfuser", as dnsmasq might run under surfuser at least by the command "killall firejail" from time to time, before too many firejail are running, so that all still running firejail-processes terminate. It is recommended to create a small entry with user root in the K-Menu and/or the same entry for the task line.

OKGeneral chroot and suid paranoia
chroot is one of the most powerful possibilities to restrict a daemon or a user or another service. Just imagine a jail around your target, which the target cannot escape from (normally, but there are still a lot of conditions that allow one to escape out of such a jail). You can eventually create a modified root environment for the user or service you do not trust. This can use quite a bit of disk space as you need to copy all needed executables, as well as libraries, into the jail. But then, even if the user does something malicious, the scope of the damage is limited to the jail.
Many services running as daemons could benefit from this sort of arrangement. The daemons that you install with your Debian distribution will not come, however, chrooted per default.
This includes: name servers (such as bind), web servers (such as apache), mail servers (such as sendmail) and ftp servers (such as wu-ftpd). It is probably fair to say that the complexity of BIND is the reason why it has been exposed to a lot of attacks in recent years (see Securing BIND, Section 5.7).
However, Debian does provide some software that can help set up chroot environments. See Making chrooted environments automatically (depicted in the following).
Anyway, if you run any service on your system, you should consider running them as secure as possible. This includes: revoking root privileges, running in a restricted environment (such as a chroot jail) or replacing them with a more secure equivalent.
However, be forewarned that a chroot jail can be broken if the user running in it is the superuser. So, you need to make the service run as a non-privileged user. By limiting its environment you are limiting the world readable/executable files the service can access, thus, you limit the possibilities of a privilege escalation by use of local system security vulnerabilities. Even in this situation you cannot be completely sure that there is no way for a clever attacker to somehow break out of the jail. Using only server programs which have a reputation for being secure is a good additional safety measure. Even minuscule holes like open file handles can be used by a skilled attacker for breaking into the system. After all, chroot was not designed as a security tool but as a testing tool.
Making chrooted environments automatically
There are several programs to chroot automatically servers and services. Debian currently (accepted in May 2002) provides Wietse Venema´s chrootuid in the chrootuid package, as well as compartment and makejail. These programs can be used to set up a restricted environment for executing any program (chrootuid enables you to even run it as a restricted user).
Some of these tools can be used to set up the chroot environment easily. The makejail program for example, can create and update a chroot jail with short configuration files (it provides sample configuration files for bind, apache, postgresql and mysql). It attempts to guess and install into the jail all files required by the daemon using strace, stat and Debian´s package dependencies. More information at Jailer is a similar tool which can be retrieved from and is also available as a Debian package.

But back to our text about LINFW3: Notice, that the NEW-LINE-BLOCK-only of Linfw3 prevents form all hacker except on established connections opened by the surfer, but not from any backdoors resp. trojans! Always try to use the NEW-LINE-BLOCK with the UID-( and/or GID-)owner-concept for surfuser and surfgroup together with the port-concept, while updates can be performed in the same way by root as the surfuser (and/or surfgroup)! Both, ALLOW-ROOT_LOGIN and ROOT_LOGIN shall be set to "no" and all access-rights upon directories and files set adequately. The computer-system will almost get serious hard hacked, if all this is not regarded!

mouseclick-fast work with the computer also has no chance to take into negative effect by following the methods of our excurs. For an always good and fast mount and umount of the USB-stick, actualize the filesystems to reisferfsprogs-3.6.24, e2fsprogs (1.43.2 from September 2016) resp. btrfs and manage the integration of the module usb_storage by modprobe. This module guarantees the fast secure mount and secure unmount of usb-media. To integrate it permanently for mdv2010 and other Linux, type into file /etc/modprobe.preload. If command chattr should keep its function instead, do not update the filesystem for loosing some kind of "id for owner-rights" But in this case, not much gets restricted, if chattr was not used before.

Our extra security-tip: Always click onto networkmanager-applet´s (el6), "exit" after the first dial-in into resp. after building up the first connection to the internet!

MAC Tomoyo profiles: /etc/tomoyo/*, kernel-boot-options security=tomoyo tomoyo=1.

OK # apparmor: application MAC-protection-shield and MAC-kernel-security-module to load within /boot/grub/menu.lst (grub1) by option security=apparmor apparmor=1
# dbus-apparmor&# within /etc/rc.local
# /usr/lib64/apparmorapplet&# /etc/rc.local
# example: apparmor_parser -af /etc/apparmor/profiles/extras/usr.lib.firefox.firefox &&/usr/bin/firefox # ( resp., still in order not to resign from firejail as introduced: ...&&sg surfgroup "firejail --profile=/etc/firejail/firefox-esr.profile /usr/bin/firefox" )
# /etc/apparmor/profiles/extras/* :
885 23. Jul 15:03 bin.netstat
1247 23. Jul 15:03 etc.cron.daily.logrotate
955 23. Jul 15:03 etc.cron.daily.slocate.cron
729 23. Jul 15:03 etc.cron.daily.tmpwatch
1733 23. Jul 15:03 README
1934 23. Jul 15:03 sbin.dhclient
1297 23. Jul 15:03 sbin.dhcpcd
682 23. Jul 15:03 sbin.portmap
855 23. Jul 15:03 sbin.resmgrd
489 23. Jul 15:03 sbin.rpc.lockd
1010 23. Jul 15:03 sbin.rpc.statd
1655 23. Jul 15:03 usr.bin.acroread
791 23. Jul 15:03 usr.bin.apropos
4569 23. Jul 15:03 usr.bin.evolution-2.10
697 23. Jul 15:03 usr.bin.fam
750 23. Jul 15:03 usr.bin.freshclam
1918 23. Jul 15:03 usr.bin.gaim
595 23. Jul 15:03
618 23. Jul 15:03 usr.bin.mlmmj-bounce
1041 23. Jul 15:03 usr.bin.mlmmj-maintd
1096 23. Jul 15:03
884 23. Jul 15:03 usr.bin.mlmmj-process
587 23. Jul 15:03 usr.bin.mlmmj-recieve
766 23. Jul 15:03 usr.bin.mlmmj-send
821 23. Jul 15:03 usr.bin.mlmmj-sub
803 23. Jul 15:03 usr.bin.mlmmj-unsub
2017 23. Jul 15:03 usr.bin.opera
1003 23. Jul 15:03 usr.bin.passwd
1025 23. Jul 15:03 usr.bin.procmail
1132 23. Jul 15:03
580 23. Jul 15:03 usr.bin.spamc
904 23. Jul 15:03 usr.bin.svnserve
1185 23. Jul 15:03 usr.bin.wireshark
674 23. Jul 15:03 usr.bin.xfs
1022 23. Jul 15:03 usr.lib64.GConf.2.gconfd-2
857 23. Jul 15:03 usr.lib.bonobo.bonobo-activation-server
1258 23. Jul 15:03 usr.lib.evolution-data-server.evolution-data-server-1.10
1604 23. Jul 15:03 usr.lib.firefox.firefox
386 23. Jul 15:03
654 23. Jul 15:03 usr.lib.firefox.mozilla-xremote-client
1018 23. Jul 15:03 usr.lib.GConf.2.gconfd-2
1230 23. Jul 15:03
889 23. Jul 15:03 usr.lib.postfix.anvil
2101 23. Jul 15:03 usr.lib.postfix.bounce
1269 23. Jul 15:03 usr.lib.postfix.cleanup
530 23. Jul 15:03 usr.lib.postfix.discard
626 23. Jul 15:03 usr.lib.postfix.error
1701 23. Jul 15:03 usr.lib.postfix.flush
624 23. Jul 15:03 usr.lib.postfix.lmtp
1839 23. Jul 15:03 usr.lib.postfix.local
1887 23. Jul 15:03 usr.lib.postfix.master
2443 23. Jul 15:03 usr.lib.postfix.nqmgr
607 23. Jul 15:03 usr.lib.postfix.oqmgr
859 23. Jul 15:03 usr.lib.postfix.pickup
497 23. Jul 15:03 usr.lib.postfix.pipe
709 23. Jul 15:03 usr.lib.postfix.proxymap
2464 23. Jul 15:03 usr.lib.postfix.qmgr
626 23. Jul 15:03 usr.lib.postfix.qmqpd
670 23. Jul 15:03 usr.lib.postfix.scache
2260 23. Jul 15:03 usr.lib.postfix.showq
1842 23. Jul 15:03 usr.lib.postfix.smtp
2120 23. Jul 15:03 usr.lib.postfix.smtpd
626 23. Jul 15:03 usr.lib.postfix.spawn
791 23. Jul 15:03 usr.lib.postfix.tlsmgr
904 23. Jul 15:03 usr.lib.postfix.trivial-rewrite
628 23. Jul 15:03 usr.lib.postfix.verify
788 23. Jul 15:03 usr.lib.postfix.virtual
1339 23. Jul 15:03 usr.lib.RealPlayer10.realplay
1074 23. Jul 15:03 usr.NX.bin.nxclient
1120 23. Jul 15:03 usr.sbin.cupsd
864 23. Jul 15:03 usr.sbin.dhcpd
6148 23. Jul 15:03 usr.sbin.httpd2-prefork
818 23. Jul 15:03 usr.sbin.imapd
652 23. Jul 15:03
1279 23. Jul 15:03
590 23. Jul 15:03
825 23. Jul 15:03 usr.sbin.ipop2d
825 23. Jul 15:03 usr.sbin.ipop3d
1365 23. Jul 15:03 usr.sbin.lighttpd
756 23. Jul 15:03 usr.sbin.mysqld
920 23. Jul 15:03 usr.sbin.nmbd
830 23. Jul 15:03 usr.sbin.oidentd
735 23. Jul 15:03 usr.sbin.popper
1331 23. Jul 15:03 usr.sbin.postalias
1017 23. Jul 15:03 usr.sbin.postdrop
829 23. Jul 15:03 usr.sbin.postmap
1091 23. Jul 15:03 usr.sbin.postqueue
3435 23. Jul 15:03 usr.sbin.sendmail
2061 23. Jul 15:03 usr.sbin.sendmail.postfix
1564 23. Jul 15:03 usr.sbin.sendmail.sendmail
946 25. Mai 2012 usr.sbin.slapd
1140 23. Jul 15:03 usr.sbin.smbd
1068 23. Jul 15:03 usr.sbin.spamd
1686 23. Jul 15:03 usr.sbin.squid
3691 23. Jul 15:03 usr.sbin.sshd
1310 23. Jul 15:03 usr.sbin.useradd
1344 23. Jul 15:03 usr.sbin.userdel
1073 23. Jul 15:03 usr.sbin.vsftpd
2413 23. Jul 15:03 usr.sbin.xinetd


We never got any delays during the secure umount of USB-sticks anymore.

mdv2010 mouseclick-fast: Linux runs faster than Windows: mouseclick-fast mdv2010 on SSD. The code of Linux seems to be architectured and optimized well. Nevertheless even Linux can run slow too. Before we ask us, how this can happen and which software to install, we are interested in cpu and RAM killing daemons to deinstall resp. remove from harddisc. That are processes running in the background, for what we need a good process-manager indicating resource-consumption in percent. Therefore we have to start programs like ptree, "ps -All", Systemüberwachung or just by pressing the keys "ESC" and "STRG". In our case packagekit with an enormous consumption of around always 40% was found out to install him for el6, same for nspluginwrapper, leading us to set chmod 000 /usr/bin/nspluginscan. Think about kio_thumbnail, that gets started sometimes for creating symbols within the filemanager for certain files, in dolphin depending on the configuration for preview. The capacities reducing process named "prelinking" should almost be tolerated instead:

"prelink is a program that modifies ELF shared libraries and ELF dynamically linked binaries in such a way, that the time needed for the dynamic linker to perform relocations at startup significantly decreases. Due to fewer relocations, the run-time memory consumption decreases as well (especially the number of unshareable pages). The prelinking information is only used at startup time if none of the dependent libraries have changed since prelinking; otherwise programs are relocated normally."

Depending on configuration in MCC-security, msec_find checks periodically, during the boot or never. In MCC, security, periodical checks you can set many msec-checks from daily to weekly, even better to "manual", if your mainboard does not have more than one #SMP (CPU). After surfing as surfuser or other communications within the net, all processes started by surfuser should be killed again: killall -u surfuser. See our data-sheed: With our decision for mdv2010 and a SSD this aim got reached once more. Also beware the recommended frequency for the RAM-Modules mentioned in the manual the mainboard not to plug in one of a lower frequency. Then all went mouseclick fast already by the mainboard model DDR2 533 Mhz (or higher) 19W, that is recommended in the data sheed below. We already got 533Mhz-nonames assembled in Germany - for free before ... working fine (in spite of DDR2 Kingston 1GB 333 Mhz)! Do not forget: The computer-system with SSD is running once more mouseclick fast, if hdparm (omv2015, rosa2014.1, el7, el6) and sdparm (omv2015, rosa2014.1, el7, el6) is installed.

SSD resp. HDD capacity used <=80%

Boot-problems, do you have any problems during the booting? Just press the key for "i" for the interactive mode past the short message with udev. Now, by dialogs, it is possible to start each process manually or to resign from a process during the booting. On problems with the X-Server (graphic-card driver), start all processes except the display manager named "dm". On runlevel four less then five the terminal helps to enter all kind of commands to do the next things (like reinstalling the device driver or downgrading the X-Server from mdv2010.2 to mdv2010.0 by rpm again). Be careful with the installation of further kernel, as some links in /boot (boot-partition) can mismatch refering to the settings in /boot/grub/menu.lst. Then you have to relink them by ";ln -sf TARGET linkfile" by booting with a repair-CD, a repair-USB-stick or a backuped, mirrored media (we do recommend anyway), in order to mount the boot-partition.

SSD-harddiscs are even better than the manufacturer do specify
publised article from 18. Juni 2014, 08:38 from admin,
SSDs are the better replacement for magnetic harddrives, for there do not consist of any mobile parts and hence they are up to 100 × faster during reads and 20 × durings writes and they seemed to be work quit endless. Test show, that they do not only work superfast, but also endure ten times longer as their manunfacturer promise. You can read the explicit test report on Golem.

Online update sources: (FTP-downloads, here for el6, el7, mdv and mga) and http// (http-downloads for el6, el7, fc down to fc xx, mga down to mga xx), (http- and ftp-downloads, el6, el7, all popular distros and versions)

The many security-checks within MCC, especially sectools, should be set from "daily", "monthly" and so on to "manually", in order to prevent irritating backgroud-processes.

MCC gives the opportunity in Network->,Network-Center to enable and disable tcp-timestamp, tcp-windows-scaling and dynamic IPv6. IPv6 uses static IP, so latter disabling is recommended.

29. October 2014, 08:49 Uhr, heise open
"The CentOS-team has released Version 6.6 of their Linux-distribution. It sources in Red Hat Enterprise Linux (RHEL) with the same version number Red Hat published two weeks ago. Therefore the new CentOS includes all improvements, under it a plenty of new and actualized driver, a device-mapper-target for the mount of a SSD as a cache for slow storage-media and the intergration of the High Performance Networking (HPN) that was costly up to now. You can get CentOS for free. It promises compatiblity to many distributions and is going to be fostered for a long time. Therefore the already some years old CentOS 6 can be updated by security updates until the 30 of november 2026. Scientificlinux alias CentOS 6.7 is the second clone of RHEL 6.6, for Oracle has released the also cloned from this Oracle Linux 6.6 some days ago."

We found many packages by name already in SuSE 7.3 from year 2003 and Mandrake mdk10.0 from year 2004. The code of their includes must be read out well and better each day. Actual Gentoo-GLSA provides one of the best overview of updates for Linux:, descended ordered by time. Typical cases for updates refer to arbitrary code execution, multiple vulnerabilities (especially buffer overflow), denial of service and information disclosure.In order to make the installation of listed updates possible, glibc has to be actualized. Not all updates from the listed ones like cpio should be installed, while those for tar, bzip, freetype rpm, openssl (tarball) and many other ones do function. Try the belonging tarballs or downgrade again, if not. Notice, that updates provided for the distribution, except named exceptions below, are almost sufficient, for mdv2010.1 and mdv2010.2 you can find them on is a good installation and update source for most linux distribution except Debian (with its own deb-packages). Before a computer system gets updated, it always should be secured completely! For detailed troubleshooting, cases we did not have with mdv2010, sources out of the internet and newsgroup alt.linux.suse might be helpfuf too.

Linux permanently gets functional extended and therefore also the applications and libraries. Packet-Versions change as the distribution its version (by their own version-numbers) do. In order to make a distribution error-free like in our example mdv2010, use a linux-friendly mainboard and install only those packets (and tarballs), that are belonging to the same installed version of a most complex distribution past 2003. In our example they are always ending with "...mdv2010". Pakets of next higher versions like mdv2011 should interest only after upgrading the glibc adequately or experimental. Nevertheless, also think of all the updates referring to the same distribution and its version, marked by name ending with "...version[distributionversion).update-number". To find such packages, take the installation-DVD/CD and make queries for resp. mirror There, in the resulting listings, all packages are named explicitly in that way, that means by belonging distribution and version, but this might be the exception For mdv2010 a kernel-upgrade to mdv2012 by rpm-packages is possible. We do not recommend to change the distribution from mandriva to any other except many packages from Scientificlinux resp. ALT Linux resp. CentOS 6.7.

Does mdv2010 meet Fedora, actual fc23? Although mdv2010.1 and especially 2010.2 do not need any updates, you can upgrade mdv2010 to any actual linux, by installing the downward compatible C-standard-library glibc of rosa2014.1, mdv2012 or mga3 without rpm glibc itself out of glib2.0-common (fastest: actual pateched el6 or the sixtimes patched one from rosa2014.1 or mga3), glibc (el8, pclos, mga7, mga5, rosa2014.1), glibc-utils (el8, mga7, mga5, el6, rosa2014.1 or mga3), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8) glibc-profile (mga7, mga5, rosa2014.1 or mga3), glibc-static (el6) or glibc-static-devel (rosa2014.1, mga3), glibc-devel (rosa2014.1 or mga3), glibc-i18ndata (mga7, mga5, rosa2014.1 or mga3), glibc_lsb (mga3), libc6, mm-common (mga3), lib64glimm2 (mdv2010), gettext (rosa2014.1 or mga3), lib64gettext-misc (rosa2014.1), lib64gettextpo0 (rosa2014.1), lib64intl8 (rosa2014.1), lib64png16 (rosa2014.1), glib-networking (el6), lib64nspr4, lib64nss3, locales (rosa2014.1 or mga3), locales-en, locales-de, locales-fr, and further more locales and the C++-standard-library stdcc++, all for x86_64 and i586, by ";rpm -U --force --nodeps". For glibc DO NOT INSTALL MORE mga3 OR mdv2012 than the listed ones! Now the hugh gate to any ultimative-mouseclick-fast working linux world on SSD, even actual linux like today´s Fedora core 24, has opened for largest amount of software ever (even if not all of it)! You can upgrade and downgrade like by "elevators" reaching floors of distros and versions provided by listings from Warning: This does not function with all glibc without needing many other packages! You do not need them anymore. We repeat that software should do its function, while the rest is almost made secure by our excurs. After that we might install an actual version of the filesytem like e2fsprogs (1.43.2), reiserfsprogs (omv2015, mdv2011 or el7, el6), btrfsprogs and many updates recommended by Gentoo-GLSA, url see below. At last for our Linux-tuning, following the new filesystem-rpm, copy all files of /lib to /usr/lib, /lib64/* to /usr/lib64, /bin/* to /usr/bin, /sbin/* to /usr/sbin. After all the operations upon glibc, Linux is not able to run faster in future.

glibc (el8, pclos, mga7, mga5, rosa, mga3, mdv2012) complete for x86_64 (64 bit cpu), analogous i586 (32 bit), without making any problems: glibc (mga7, mga5), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8), glibc-devel, libc6, glibc-i18ndata (mga7, mga5), glibc-profile (mga7, mga5), glibc-utils (mga7, mga5), glibc_lsb, gettext, locales, locales-en, locales-de, ..., gettext-base, lib64gettext-misc, lib64gettext-po0, lib64intl8, lib64png16, glib-gettextsize, glib-networking, glib2.0-common, lib64gio2, lib64glib-networking, lib64glib2.0, lib64glib2.0-devel, lib64glibmm2, lib64gmodule2, lib64gobject2, lib64ffi6, lib64gthread2, lib64stdc++, lib64QtGlib2.0, lib64packagekit-glib2 and prelink or glib2 (el7 or el6 instead of lib64gthread2 (rosa2014.1), lib64gio2 (rosa2014.1) and lib64gobject2 (rosa2014.1), we installed this one for this is el6 )

In order to avoid error-messages of glibc (el8) during system-boot, just remove the line LC_TIME=de_DE.UTF-8 in /etc/sysconfig/i18n ! Eventually install locales (pclos, mga7, mga6), locales-en, locales-de, ... too.

We decided us for the following GNU C Standard Library glibc:

glibc (el8, pclos, mga7, mga5, rosa2014.1), glibc-headers (el8), glibc-common (el8), glibc-utils (el8), glibc-all-langpacks (el8), libc6 (rosa2014.1), compat-glibc (el6), glibc-common (el6), glibc-i18ndata (mga7, mga5, rosa2014.1), glibc-headers (el8, el6), glibc-static (el6), glibc-utils (mga7, mga5, el6), glibc-profile (mga7, mga5, rosa2014.1), glibc-glibc_lsb (rosa2014.1), locales (rosa2014.1), glib2 (el6), prelink (rosa2014.1), lib64stdc++ (fc, pclos, mga, rosa2014.1 und el6) oder auch alles mga7, mga5 oder rosa2014.1

Paket-manager drakrpm offers the option named like "store in cache" in the menu for the seldom cases, where dependencies of packages are not solved correctly. Whenever this happens, downloaded packages should be copied from /var/cache/urpmi/rpm resp. /var/cache/urpmi/partial to any secure place for reinstallaton.

Depending on the graphic-card-driver x11-driver-video-name, for our platform with name=intel choose the X11-Server for mdv2010.0 even before mdv2010.1 refering to all files beginning with x11-server by name. Library-packages have to be installed for the X-Server too that are quit unknown in this context for you. To go sure with the X11-server of mdv2010.1, install all library-packages (lib64....rpm) you need for the program-packages at first, before the installation of the X-Server of mdv2010.1 takes place. So one of the last packages to update are those for the X-Server of mdv2010.1!

Either a programm is working or it is not, that means, it does its introduced functions or it does not. In the first case updates are seldom needed!

Be careful with the installation of many el6-packages. Some can restrict the functionality of mdv2010 (el6, el7), for expample usermode can effect the call by mouseclick of MCC. So collect all previous installed rpm of mdv2010 in a directory for possible reinstallation needs.

For SMP#1 (mainboard with one CPU only), wallpaper´s fly mode of a wallpaper is not recommended.

Method for prevention: already mentioned encryption of the partitons of the harddrive, also from USB-media, at least the encryption of some certain files. You see by all the already red marked passages and text: Although we dare to talk about security for the computer and although all payed amounts and sums in conjunction with computer should be transfered back, of course it is never learnt out.

Data backup and restore

Always keep all installation-packets accessible. During installation phases, even mdv2010 can conflict in some unsolved of the quit infinite package-dependencies.Check out some programs, if the stell do start and run. If the shell or any program does not, use a terminal to start them in order to watch out error-messages as the cause (for packages) why not, in more serious cases use the prefix strace: "strace command-executable-file". If mdv is not booting correctly, the key "i" should be pressed to get into the interactive mode, where almost all should be started except the displaymanager dm.

You can save your SSD possibly forever! Not only two SSD or one more harddrive are needed, you also need a bootable USB-stick or Mindi or Mondo or a Knoppix from DVD resp. on a 250 MB sized partition to execute the command dd for the backup and restore of partitions.

Recommended (PCWelt, 08.08.2015) commands are rsync or fontend grsync, alternatively rdiff, all packages resp. commands are provided for mdv2010. For SSD, in order to save power, work reliable and abstract, we recommend one more SSD or a magnetic backup harddisk, where partitions have to be mirrored 1:1 by partiton manager, rsync its helpful frontend grsync, the command rdiff or special mirror-commands. Such commands full of options really do their best, even over SSH. But for local backups and restores, that means, if you ask us, we just prefer the simple command dd resp. safecopy, depictied below: unbeatbale! Although SSDs do not like dd very much by taking their time with it, dd always seems to reach its end at any time (dd works around 1 GiB per Minute refering to our SSD), or use dd-replacement safecopy, if not. Notice, that dd still does not provide any progress-bar. But do not believe in fairy tales as this certain country is known for, perfer dd, as for example neither the operating system nor oneself does know exactly, what all to backup, which partitions, directories and files, in order to pevent the worst one can happen: new installation, problems during restauration, file manipulation after hacker attacks with vandalism and/or data loss. So resign from so called backup-programs by backuping and restoring always 1:1-partitionwise with dd, here partition sda1 onto partition sdb1:

dd if=/dev/sda1 of=/dev/sdb1

Use sdd instead of dd to see a progressbar.

With the reliable dd, your partitions get always restored, if damaged. Therefore never use any other backup-programs for your partitions, don´t be such fool ! It is dd always terminating fine, only not in the case, its environment got damaged, in our example Knoppix from an own partition from SSD resp. harddisc or DVD. Therefore keep the Knoppix-partition on all media, the backuped one and its backupening, beneath Knoppix on DVD and/or USB-Stick.

The only disadvantage of dd is, that dd does not show any progress bar.

If you want to be even more clever for making backups than even dd allows, use dcfldd. This el6-rpm works on mdv2010 like dd, but does show a progressbar. Some more extensions enable fexible-disc-wipes, an resume on error, the estimation of md5-checksums using additional options like "hash=md5" and "md5log=md5.txt" and splitting the output-files.

Although with dd all data backups managed well, even on SSD, it is warned against the use of this command for SSD. :
dd does fills unused and empty sectors and blocks with zero, so that the essential spare-area of SSD will not be free anymore. Even the for speed (access-times) important alignment becomes absurd. The amount of write-operarations shortens its life-time.
Therefore the command cp and rsync are recommended.[...]
Clonezilla advantages in transferring only the non-empty blocks during the data-transfer.

Linux-Bot-Net, Heartbleed, Shellshock, glibc-Patch, Bad Cow, ... on the way to Zero Updates, zero Patches and zero Bugfixes

Following distribution offer updates for mdv2010: omv2015, mga, rosa2014, mdv, fc, el7 and el6.

In msec, set "allow-root-login" to "yes", during the updating processes, in order to guarantee the usage of bash-commands and the work with the package-manager rpm.

Make a 1:1-partitionswise backup on an extern media by reliable (even on encrypted partitions) working commands like dd from rescue-DVD or Linux on USB-stick, that can be used for restoring too.

One more aim of updating is to set "allow-root-login" again back to "no", to move all logfiles to shm- (RAM-) directory /tmp, to set the root-partition to "ro" (read-only) and to deactivate the journalling feature of linux-filesystems. This is performed at the very end of this section for reiserfs.

Many cases like bash with the so called Shellshock, glibc, Linux-botnets and openSSL and so on tell us about the of essentiality updates.

Security leak "Dirty Cow" within the Linux-kernel enpossibles prohibited extension of access rights:ücke-im-linux-kernel-ermöglicht-lokale-rechteausweitung.html. In this report apparmor is mentioned, that might generally help. Start apparmor in the background for example in /etc/rc.local by /usr/lib64/apparmorapplet&
This security-lack is known by kernel-developer for many years. Nevertheless, with linfw3 and msec configured as introduced, Dirty Cow becomes no risk, as an intrusion into the system is conditioned, regardless from patching the kernel or not. Kernel 5.4.110 (PCLinuxOS2019) with mkinitrd (pclos, rosa, mga2), nash (pclos, rosa, mga2), dracut (mga6: version 044, el6: version 004 (leads into manual LUKS-password request even in the case of existing password-key-file!, mdv2011: version 008)) and glibc (el8, pclos, mga6) resp. kernel (mdv2011) can be patched with patches from year 2011 up to date from We made good experiences with this patched kernel.

Plenty of packages of mdv2010 resp. mdv2011 can be updated with CentOS 6, CentOS 7, Rosa2014.1 and Rosa2012, except KDE-Akonadi-Nepomuk for interal dependency (mdv2010: Version 4.4.5) and a few single packages. KDE can be updated completely.

KDE 4.4.5 includes many updates as mentioned by the report from year 2008: "For the release of 4.2 the KDE-Team fixed thousand errors and builds in many new features missed in KDE 4.2. This beta release gives the oppurtunity to check last errors and bugs. The KDE Team has published a list with significant improvements in 4.2 Beta 2. Since the first beta less than four weeks ago, 1.665 new errors were found out and 2.243 ones got corrected. Sine the release of KDE 4.1.0 more than 10.000 errors wth a strong view upon the stability of KDE 4.2 were fixed Past KDE 4.2 many monthly updates are expected and finally, in summer 2009, KDE 4.3. Signficant improvements of Plasma and KWin, the KDE Workspace... ."

Our KDE solution: KDE as a mix out of kde 4.4.5/4.4.9 (mdv2010.2, November 2011), kde-4.3.4 (el6, actual patched up to year 2026) and kde (4.4.4, OpenSuSE 11.2, end of year 2013)

By mdv2010.0, mdv2010.1, mdv2010.2 and some mdv2011.0, most versions and releases of RPM-packages got fixed and patched well for functionality for around two years- similar to el6 and el7 from year 2010 to 2026. . All update-rpm listed below will lead into an up to year 2026 actual, well functioning Linux. Only the two up to five times patched KDE 4.4.5 (mdv2010.2) is not upgraded. You can keep it or try KDE (omv2015) or KDE of mandriva-successor Rosa2014.1 from for example. In the case of dependency-conflicts, dare to install by package-manager rpm with the option --force and --nodeps (analog Debian), if you keep the preceeding packages beneath you and if you care for the installation packages that are still required, listed by rpm during the installation-process.

Except for Browser, bash and OpenSSL, mdv2010 and Linfw3 make it possible: processes for net-connections (inclusive server resp. all daemons resp. services to activate explicilty) have to be started, build-up and therefore posessed only by the password-protected user "surfuser" belonging to group "surfgroup", while LINFW3 is blocking all other processes not started by surfuser, even those owned by root. The next thing, Linfw3 does, is opening only those ports belonging to such activated services. Furthermore it should be not allowed to chroot, while surfuser is not a member of any user and not any group except surfgroup. To login as root, a root-login should generally not be allowed by configuration (MCC, security settings), and a user must be a member of the group wheel, in order to login as root, what can reduce the time for different works without riscing to much, if LINFW3 protecting with UID-owner surfuser and GID-owner gets activated. Using MCC security an accessless root access can be configured for the command su. In the device-configuration-file /etc/fstab It is also possible, to set the option "noexec" each partition, especially for the partition including the files owned by the user "surfuser". Then the configuration of file-release within LAN and access-rights for directories and files can even prevent the reading of directories and files with sensible data ("chown non-surfuser; chmod 700"): the concept of UNIX-(file)systems! Its a remaining matter of communication-protocols themselves, that can be used (build-up) by the password-protected surfuser through belonging port-releases only. To be more careful than careful, move all sensilbe data to a one more encryted partition or an encrypted extern media, that should be plugged in or read again only the time, suspect services are not activated (when belonging connections are not build-up). This fact is described more in detail below in our section for LINFW3. You can even resign from many updates. But nevertheless, to go sure (over sure) as promised, we are going to describe, how mdv2010 can be kept uptodate almost by the until 2026 actualized Scientificlinux alias CentOS 6 resp 7.

Good luck: Unix/Linux always consists in main of the same software, kernel, grub/lilo, dracut, glibc, X11-Server, window- and desktop-manager like Gnome and KDE with konqueror and kpim out of kmail, knodes, clamav, firefox, OpenOffice and koffice, gimp and so on. In comparison with non OpenSource, this opensource is checked many times for it is read out well. Notice, that many new updates, patches and bugfixes listed in for mdv and GLSA Gentoo just rely on functionality extensions. Therefore, do not use them. They might not work!

Everything of mdv2010 will run fine and stable on your SSD, except the KDE leading to sink plasmoid Daisy, belonging to the plasmoids like such for the wheather-forecast for example, exchanging data with extern sources. You can always deinstall and deactivate such insecure behaving plasmoids. Although the upgrade of glibc to rosa2014.1, mga3 or higher widens the possibilities, mdv2010 bewares its sensibilities in the case of the installation of wrong packages, that can lead to serious hard system-breakdowns and hangups. Think like the MCC-packet-manager. Beware previous installed packages, until mdv2010 runs stable (reinstallation: rpm -U --force and/or --nodeps).

Have a look into the changelog of each packet. There you get to know about all modificiations by date and the name of the day of the week in descending order, the modification time, name resp. e-mail-adresse of each author (programmer), who has programmed the modification and a short description of the modification itself. It must be at last the publishing organisation, who has checked all this information out using tools like diff. Some updated resp. patched packages can be found out immediately by their high version release number (el6 and el7) like NetworkManager-xxxx-107 (el6), where 99 stands for the 99th release or in addition by the number after the point at the end of the version number (mdk, mdv, mga) like NetworkManager-xxxx-25.2, where "2" stands for the second patch of the version´s release. If the version number differs in the first ciphers, the package almost contains serious hard changes. If the version number differs in end-ciphers only from the already installed one, it gets more likely, that you can use this package for replacement. Right before the version number resp. the end of the package name the short name for the belonging distribution, followed by the kind of processor is named resp. the "noarch" in the case of independency from the processor type. A third person not named in the changelog and list of the packager names would have as much difficulties with the manipulation of the packets as cracking and hacking the computer with the rpm-command and the files on the storage media.

Filesystem, you have several opportunities: reiserfsprogs (omv2015, omv2014) or reiserfs-utils (fc23, el7, el6), e2fsprogs (1.43.2) with lib64ext2fs (rosa2014.1) without uClibc (omv2014, omv2015), uclibc-lib64ext2fs (omv2014, omv2015)
reiserfs-3.6.24-8.5 (OpenSuSE Factory) with libreiserfs, libreiserfs-progs and libreiserfscore0.
The harddrive (SSD) causes errors for some reiserfs-versions during the system boot and checks by reiserfsck. Therefore our choice consists of reiserfsprogs (omv2015) and e2fprogs (rosa2014.1) together with lib64ext2fs (rosa2014.1)- causing no errors anymore.

hdparm (omv2015, rosa2014.1, el7, el6) and sdparm (omv2015, rosa2014.1, el7, el6): adequate SSD-parameters within /etc/rc.local (hdparm -W1a0A0 /dev/sda) support our aim: all on SSD and mouseclick-fast! MCC, gparted and disk manager Palimpsest provides overview, some administration, benchmarks and partitioning.

Notice, that all package-dependencies have to be installed with one package. Otherwise this can cause a state similar to buffe-overrflows, where CPU and RAM seem to have lost their capacities quit working endless.

Next point: specific microcode-update for the CPU. For the mainboard we introduce in data-sheed, ucode-intel (OpenSuSE) and ucode-intel-blob (OpenSuSE) should be installed to follow our aim of mouseclick-fast PC-working.

All updates (since) mdv2007.0 and mdv2010 do regulary refer to, and this is the advantage of UNIX-Systems: buggish software (not much for mentioned mdv), all net-communication-programs like proxy (squid,...), MySQL, telephony, the browser (using ssl3.0 instead of tls as reported by three members of the Google-Team, that means all firefox up to an actual resp. TLS-using version 34 ( unpacking an easy by menu updateable, actual firefox into a directory like /usr/lib64/firefox and choosing "Update Firefox" out of the menu (same for Thunderbird into /usr/lib64/thunderbird), updating firefox in detail, see our section updating firefox. Such

How to block scripts and ads with an ad- resp. script-blocker like and adblockplus is much more simple than presented by their typical large resource-killing blocking-lists full of pregiven exceptions:
At first all blocking-scripts like easylist have to be removed out of AdblockPlus resp. other adblocker. Many of them contain exceptions. The special convenience for (more) exceptions has to be deactivated too by clicking upon the hook, so that the hook does not appear anymore.
Now, like firewall linfw3, the "trusted"-strategy, "forbidden is, what is not (explicitly) allowed" should be followed.
Therefore the only existant private ad- resp. scriptfilter should just include the following entries:
OK or just the one single char for a star:
for all, that could ever be blocked from a website!
That´s all ! It is not a bad idea to allow all stylesheets (css) by adding the one more entry @@*.css* right at the top of the filter list. Very brave ones risk webbugs (scripts with an image output) filtered out by other extensions and add @@*.jpg* , @@*.jpeg*, @@*.gif* and @@*.png* too, that can be allowed in ABP resp. ABL as exceptions each website loaded. Filter-lists from elsewhere like the up-to-date to keep EasyList with their many exceptions are not needed anymore! They just were nonsens, as no more entries are needed (eventually except some more top-sublevel-domains (country-codes) in addition to "*.de/*".

So a single char for the star apriori "*"does already do its very best!

Our final solution: Our complete ABP- resp. ABL-filter-list, especially at the very beginning, just has got the includes:

ABP (Firefox <= ESR 52.9.0):

ABL (Pale Moon):

without any further entries and without any imported filter-lists (full of exceptions and superfluous rules) like EasyList.

Good luck: These few snake-speeded entries do not influence the surf-speed measurable much.

In order to make visible now, what should in your eyes be visible from a loaded website, EXCEPTION by exception should be added to the list almost using wildcards resp. regular expressions after the build-up of the side, until the hidden (blocked) parts get visible. At first, if the css-entry should be missing, think of all Stylesheets (css) to consider as exceptions, while especially most or all Javscript (.js) should still be blocked. To go sure, block *.js and *.pl beneath the general "*" from above in future (as already made in our list above). Enter exceptions for not shown images (if belonging exceptions from above should still be missing) by entries like https://.../*.jpg and https://.../*.png too.
After that, the webside should be loaded one more time (refresh) and JavaScript should be disabled again for the next certain time by "javascript.enabled false" passing "about:config". If the filters of ABP resp. ABL are set as recommended above, beware for Firefox-ESR (and, if you want, also Pale Moon) "javascript.enabled true" as all javascript is already filtered out. Listed extensions will really work fine, if set to true.

Do the same with Firefox-Extension RequestPolicyBlockedContinued just to be even more careful or to do it more additionally, as unknown Tracker already got blocked with their first appearance, until they get allowed by the user.

In the first configuration window set all three hooks, therewith new rules entered can be stored durable and not only temporary.

Next configuration window deals with the ruleset. Enter a new rule by electing "block" and entering a * (star) again into all fields for the new rule. Now the self-blockade of a webside (resp. server) has to be prevented by allowing the belonging rule just for the trusted server itself. If not, images and other objects might get blocked.

There are pregiven rules within the ruleset of RequestPolicyBlockContinued located in a directory far sub /home/surfuser/.mozilla/firefox/default-or-standard-profile with the some json-typed files like allow_functionality.json, allow_sameorg.json and so on, that can also be overworked, if you want..

The private mode can be deactivated by clicking upon settings in Firefox ESR, although this won´t be the truth, that means he won´t become really deactivated through using extension Private Tabs. Or take it the other way: activate the private mode and deactivate him by clicking upon the TAB to deactivate the private mode through Private TAB.

OKIncognito-mode for the protection of the privacy during surfing,, 03.11.2019
Windows-10-Browser Edge as much as Google Chrome and Firefox offer a mode leaving no tracks during the surfuing on the PC behind. Howto use this mode in a reliable way:
Whenever you change into the private surf-mode, all during the visit of websites stored information like cookies, history protocols, web-cache, images and videos are deleted resp. removed past the closing of the browser.
This especially interests, if you are surfing with a foreign computer in the web, in order to avoid leaving any tracks behind you. But this is an advantage for your own PC too, as the deletion (removal) of your surf data at the end of each internet-session makes it more difficult for the owner resp. administrators of websites to create user profiles.
[...] Notice, that the private mode does not care for anonymity in the internet Your internet provider (ISP), the administrator of the router of communities or the net administrator in the net of a company is still enabled to evaluate the sites visisted, the links clicked and data transferred.,3450334

Did we mention it, didn´t you know? PHP- and Perl-scripts are interpreted always at first and serversided each website load, before the Javascript and HTML is interpreted client-sided (on the side of the surfer resp. user).

. In the hope,.that user.js from KaiRaven and other authors is copied into the standard-profile-directory, that linfw3 and firejail got installed and configured, /etc/hosts from far below of this website is located and the DNS (in the priority local followed by remote and pdnsd) configured well, the surfing with Firefox ESR can right begin!

During the surfing, noscript and RequestBlockPolicyContinued have to be analyzed past the load of a website. It is your own, free choice to filter out or to pass listed scripts by. If a webseite requires cookies, they can be allowed by the CookieController.

All, that has to be done now after the configuration of listed extensions too, is to start the browser and to click upon the first and only appearing TAB to make it private (working in private mode).

Nevertheless what we have seen works on the base of "trusted" like linfw3 and openssl upon ssl-certificates and so on might do.
But AdblockPlus changed its layout in November 2017 making such configuration impossible. Try elder versions downloadable from named mozilla-adblockplus-2.9.1-27 (fc28, fc27, el7, el6), noscript: mozilla-noscript (-,, 5.1.7-1, fc28, fc27, el7, el6) or seamonkey-noscript (el6, 5.1.9-3, recommended noscript for ff-ESR-52.9.0; contains the xpi-installation-file),

Noscript, rpm mozilla-noscript (fc29, el7, el6) can enforce ssl-encryption (https) of addressed websites, by entering in a great text-input-field of register HTTPS:


Write exceptions below each other in the field below. Firefox-extension https.everywhere, rpm mozilla-https-everywhere (fc, el6 or, is not needed anymore.

The important Firefox-security-extension RequestPolicyBlockedContinued, rpm: mozilla-requestpolicy (-1.0-0.22.20171019git633302 fc29, el7, el6) might contain some pre-defined rules, but it also enables the adding of temporary as much as persistent new rules for user. They might be set generally under target and therefore not under start, using * for any port. You might want to set them for extern loaded fonts and google like *syndication*:*/*, *analytics*:*/*, *tagmanager*:*/*, *usercontent*.*:*, *google.*:*/* and other targets. Install this extension past ABP, but before noscript.

OKSearchplugins (for integrated in search engines) of Firefox /usr/lib64/firefox/browser/searchplugins can be removed except one. If you remove all, the context menu might not build up completely, for example copy and paste of text and links might not function anymore.
To go sure, remove the search-parameters within the remaining xml-searchplugin by a text-editor like nano.

OKBrowser-Fingerprinting: GPU-tracking is possible,,, 02.06.2022
Browser-Tracking für Webseiten-Betreiber maßgeblich vereinfacht - Leistungscharakteristika einer Grafikeinheit sehr individuell
Auch ohne Tracking-Cookies können beim Browsen mittels Fingerprinting Computer, Notebooks, Smartphones sowie andere Geräte über längere Zeiträume identifiziert werden. Dass sich die Grafikeinheit in einem Gerät zur Nachverfolgung ausnutzen lässt, konnte ein Forschungsverbund aus australischen, israelischen und französischen Universitäten jetzt beweisen.
Über die bei Browsern gängige Grafik-API WebGL lässt die DrawnApart genannte Technik (Paper) kurzweilige Grafikberechnungen laufen. Dabei protokolliert sie per JavaScript Parameter, einen Großteil der Anzahl der Shader-Kerne, die Taktfrequenz und die benötigte Zeit zum Rendern. Die Berechnungen können wahlweise entweder für wenige Sekunden im Vordergrund oder für einen längeren Zeitraum im Hintergrund laufen.
Bisherige Identifizierungstechniken erweitert
Eigentlich identische Hardware lässt sich theoretisch auseinanderhalten, da die Halbleiterbauelemente einzigartig sind. Jede GPU hat nämlich eine eigene Kurve aus Spannung und Takt. Das Forschungsteam machte sich diese Leistungscharakteristika zu Nutze, um bestehende Browser-Fingerprinting-Techniken auszubauen. Bisherige lesen Hardware-Konfigurationen, Browser-Versionen und -Einstellungen aus. Geräte lassen sich nach Software-Updates und umgesteckter Hardware mit den DrawnApart-Daten besser identifizieren, sofern dieselbe GPU zum Einsatz kommt.
Über Monate wurde im Paper und dem Verbund mit DranwnApart einzeln wie gemeinsam auf mehr als 2.500 Geräten die Fingerabdruck-Technik FP Stalker getestet. Das Ergebnis: Die mittlere Tracking-Dauer stieg von 16 auf 30 Tage (+ 66,7 Prozent), wenn alle sechs Tage eine präparierte Webseite besucht wurde. Bei einem Intervall von sieben Tagen stieg die mittlere Tracking-Dauer von 17,5 auf 28 Tage (+ 60 Prozent). Weniger als die Hälfte der Browser-Instanzen ließen sich nach diesen Zeiträumen noch zuverlässig identifizieren.
Unternehmen wie Apple, Microsoft, Google und Mozilla entwickeln aktuell den potenziellen WebGL-Nachfolger WebGU, der neben Grafik- auch komplexe Compute-Shader ausführen kann. Das Forschungsteam ließ Mutex-Funktionen auf allen Shader-Gruppen einer GPU laufen und protokollierte, welche Shader-Gruppe wie schnell die Aufgabe erledigte. Die Dauer zur Identifizierung von etwa acht Sekunden verkürzte sich auf 150 Millisekunden. Und das bei einer Klassifikationsgenauigkeit von 98 Prozent. So plädiert das Forschungsteam dafür, bei der Entwicklung neuer Browser-APIs das Thema Privatsphäre in den Fokus zu rücken.
Quelle: heise online Redaktion

OKIncognito-Mode: Protecting the privacy during the surfing,, 06.04.2018
Windows-10-Browser Edge as well as Google Chrome and Firefox provide a mode keeping from tracking the PC.
[...] Firefox-users have to click upon the icon with the three horizontal bars right up in the menu to choose "private windows" or by pressing the keys STRG-P.,3450334

OKCertifcates: Following permissions can be set to the values "Always-ask", "allow" and "block" for each website by clicking on the symbol for the lock and register "Permissions":

OKRemove (quit) all URL resp. URI the browser (including Pale Moon and Tor-Browser) has stored and lists through about:config
about:config -> type into the address-search-line http -> remove listed URL by clicking upon them and exchanging them through a blank (empty string).

Access Your Location
Intall Add-ons
Load Images
Maintain Offline Storage
Open Pop-up Window
Receive Notifications
Set Cookies
Share the Screen
Use the Camera
Use the Microphone

OKFinally one should have read the report for the configuration of firefox-ESR by "about:config": Firefox-Tuning zur Absicherung und Anonymisierung,, to understand what we do next. (!!!)
There the configuration of almost overwritten values out of about:config should happen through mozilla.cfg. But this does not work. The include of this file has to be taken over (copied) from mozilla.cfg (installation directory) into defaults/local-settings.js. Now the "forgotten" values are almost set in Firefox ESR.
All entries are listed in ´

* /home/surfuser/.mozilla/firefox/your_default_profile_directory00-or-so/user.js *
* *
One more listing:


// always enable mouseclick on links and formular text inputs:
// (user_pref("network.protocol_handler.expose_all", true)
// section TOR-BROWSER (ff-ESR) only
// ===================================================
// The meek-http-helper extension uses dump to write its listening port number
/// to stdout.

// user.js for Pale Moon and Firefox-ESR-52.9

// pale moon- and therefore also ff- extension SecretAgent for setting and changing user agents

user_pref("extensions.SecretAgent.StealthMode", true);

// enable javascript, so that ABP (fc29) of ff will work, but disable it for Pale Moon because of ABL. ABL works even, if disabled.

user_pref("javascript.enabled", true);

user_pref("browser.addon-watch.ignore", "");

// block images: 3: from third parties
user_pref("permissions.default.image", 3);
// Next one might block webbugs etc.:
user_pref("security.xcto_nosniff_block_images", true);
// disable ftp user_pref("network.protocol-handler.external.ftp" true);
//Proxy: always use anonymizing Tor each ff-start

user_pref("network.http.proxy.pipelining", false);
// Settings won´ get stored, when using: user_pref("network.proxy.no_proxies_on", "");
user_pref("network.proxy.socks", "");
user_pref("network.proxy.socks_port", 9050);
user_pref("network.proxy.type", 1);

// DNS for Tor: remote DNS lookup at first or local DNS lookup at first. We care especially for the case "false" in future in the excurs-section for DNS-Server

user_pref("network.proxy.socks_remote_dns", false);

// Erhöhung der Privatsphäre gegenüber Suchmaschinen: Wie bereits dargestellt übermittelt Firefox standardmäßig jeden einzelnen Buchstaben bzw. unsere Eingabe an eine
// Suchmaschine, ohne dass wir die Suchabfrage überhaupt abgesendet haben. Diese "Komfortfunktion" wird über die user.js deaktiviert. Wer die Funktion beibehalten möchte, der kann optional
// folgende drei Zeilen einfach entfernen:
// ## Disable location bar LIVE search suggestions
user_pref("", false);
user_pref("browser.urlbar.suggest.searches", false);

// some more settings
// Strict user.js: Die strenge user.js blockiert restriktiv vieles, was für Tracking sowie Sicherheit relevant sein könnte. Neben Trackinschutz sollen auch Möglichkeiten für Angriffe auf den Browser minimiert werden.
// Diese Einstellungen sind für Risiko­gruppen geeignet, die für höhere Sicherheit einige Einschränkungen in Kauf nehmen.
// Javascript Just-in-Time-Compiler sind aus Sicherheitsgründen deaktiviert, was die ausführung von Javascript auf einige Webseiten verlangsamt.
// Anzeige von PDF Dokumenten im Browser ist deaktiviert.
// SVG, Flash, WebGL und WebGL2 sind komplett deaktiviert.
// Auto-Play und Hardware Video Decoding sind deaktiviert.
// Closed Source Video Codecs werden nicht verwendet.
// Favicons werden nicht geladen und nicht gespeichert.
// Es werden keine Login Credentials gespeichert.
// Unverschlüsseltes HTTP und FTP sind abgeschaltet, nur HTTPS möglich.
// Push Services sind deaktiviert.
// Der Download von externen Schriftarten ist auch für Symbole deaktiviert. Um die resultierenden Einschränkungen etwas abzumildern, kann man häufig genutzte Webicon Fonts wie den Awesome Webicon Font lokal
// installieren. Linux Distributionen enthalten passende Pakete:
// Ubuntu: > sudo apt install fonts-font-awesome
// Fedora: > sudo dnf install fontawesome-fonts fontawesome-fonts-web

user_pref("noscript.preset", "medium");
user_pref("", 0);
user_pref("status4evar.advanced.status.detectVideo", false);
user_pref("devtools.cache.disabled", false); // must be set to false, true might cause screen-flickering!
user_pref("devtools.browserconsole.filter.secerror", false);
user_pref("devtools.command-button-frames.enabled", false);
user_pref("devtools.command-button-responsive.enabled", false);
user_pref("devtools.command-buttion-splitconsole.enabled", false);
user_pref("media.gmp-manager.certs.2.commonName", "");
user_pref("media.gmp-manager.certs.1.commonName", "");
user_pref("", "");
user_pref("", "");
user_pref("general.useragent.compatMode.gecko", false);
user_pref("general.useragent.compatMode", 0);
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "" );
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("", "");
user_pref("general.useragent.override.players.brightcove", "");
user_pref("", "");
user_pref("", "");
user_pref("security.ssl.disable_session_identifiers", false);
user_pref("devtools.remote.wifi.scan", false);
user_pref("devtools.gcli.imgurClientID", "");
user_pref("devtools.remote.wifi.visible", false);
user_pref("browser.dom.window.dump.enabled", true);
// Enable (here disable) SPDY and HTTP/2 as they are in Firefox 38, for a matching ALPN extension.
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.http.spdy.enabled.http2draft", false);
user_pref("network.http.spdy.enabled.v3-1", false);
user_pref("network.http.spdy.coalesce-hostnames", false);
user_pref("dom.disable_beforeunload", true);

// Disable safe mode. In case of a crash, we Don´t want to prompt for a
// safe-mode browser that has extensions disabled.
user_pref("toolkit.startup.max_resumed_crashes", -1);

// end section TOR-BROWSER
// Set a failsafe blackhole proxy of, to prevent network interaction
// in case the user manages to open this profile with a normal browser UI (i.e.,
// not headless with the meek-http-helper extension running). Port 9 is
// "discard", so it should work as a blackhole whether the port is open or
// closed. network.proxy.type=1 means "Manual proxy configuration".
user_pref("network.proxy.type", 1);
user_pref("network.proxy.socks", "");
user_pref("network.proxy.socks_port", 9);
// Make sure DNS is also blackholed. network.proxy.socks_remote_dns is
// overridden by meek-http-helper at startup.
user_pref("canvas.capturestream.enabled", false);
user_pref("security.csp.experimentalEnabled", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("privacy.popups.disable_from_plugins", 3);
user_pref("privacy.permissionPrompts.showCloseButton", true);
user_pref("privacy.popups.disable_from_plugins", 3);
user_pref("privacy.resistFingerprinting", true);
user_pref("security.data_uri.block_toplevel_data_uri_navigations", true);
user_pref("security.family_safety.mode", 0);
user_pref("social.directories", "");
user_pref("svg.disabled", true);
user_pref("extensions.enabledAddons", "");
user_pref("network.protocol-handler.expose.ftp", false);
user_pref("network.protocol-handler.external.ftp", false);
user_pref("image. animation_mode" "normal");
user_pref("update. interval", 0);
Determines when images should be loaded.
1 (default): Load all images
2: Do not load any images
3: Load images from same (originating) server only
Note: This preference was previously known as
user_pref("permissions.default.image", 1);
user_pref("Media.navigator.enabled", false);
user_pref("Media.peerconnection.enabled", false);
user_pref("Browser.taskbar.previews.enable", false);
user_pref("Privacy.resistFingerprinting", true);
// Pale Moon Extension: Block Content Download
user_pref("extensions.mdsy.block.script", false);
user_pref("extensions.mdsy.block.xhr", true);
user_pref("extensions.mdsy.block.image", false);
user_pref("", true);
user_pref("extensions.mdsy.block.object", true);
user_pref("extensions.mdsy.block.font", true);
user_pref("", false);
user_pref("permissions.default.image", 3);
user_pref("permissions.default.object", 2);
user_pref("permissions.default.script", 3);
user_pref("permissions.default.stylesheet", 3);
user_pref("permissions.default.subdocument", 3);
// recommended for Firefox-ESR
// listed settings contribute to anonymizing and increasing speed of firefox up to 100%
// copy to /home/user/.mozilla/firefox/*your_profile_default_directory/
// PREF: Disable Service Workers
// NOTICE: Disabling ServiceWorkers breaks functionality on some sites (Google Street View...)
// Unknown security implications
// CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)
user_pref("dom.serviceWorkers.enabled", false);

// PREF: Disable Web Workers
// NOTICE: Disabling Web Workers breaks "Download as ZIP" functionality on, WhatsApp Web and probably others
user_pref("dom.workers.enabled", false);

user_pref("browser.tabs.closeWindowWithLastTab", false);

// PREF: Disable web notifications
user_pref("dom.webnotifications.enabled", false);

// PREF: Disable DOM timing API
user_pref("dom.enable_performance", false);

// PREF: Make sure the User Timing API does not provide a new high resolution timestamp
user_pref("dom.enable_user_timing", false);

// PREF: Disable Web Audio API
user_pref("dom.webaudio.enabled", false);

// PREF: Disable Location-Aware Browsing (geolocation)
user_pref("geo.enabled", false);

// PREF: When geolocation is enabled, use Mozilla geolocation service instead of Google
user_pref("geo.wifi.uri", "");

// PREF: When geolocation is enabled, don´t log geolocation requests to the console
user_pref("geo.wifi.logging.enabled", false);

// PREF: Disable raw TCP socket support (mozTCPSocket)
user_pref("dom.mozTCPSocket.enabled", false);

// PREF: Disable DOM storage (disabled)
// NOTICE-DISABLED: Disabling DOM storage is known to cause´TypeError: localStorage is null´ errors
user_pref("", false);

// PREF: Disable leaking network/browser connection information via Javascript
// Network Information API provides general information about the system´s connection type (WiFi, cellular, etc.)
user_pref("dom.netinfo.enabled", false);

// PREF: Disable network API (Firefox< 32)
user_pref("", false);
user_pref("network.dns.disableIPv6", true);
// PREF: Disable WebRTC entirely to prevent leaking internal IP addresses (Firefox< 42)
// NOTICE: Disabling WebRTC breaks peer-to-peer file sharing tools ( ...)
user_pref("media.peerconnection.enabled", false);

// PREF: Don´t reveal your internal IP when WebRTC is enabled (Firefox>= 42)
user_pref("", true); // Firefox 42-51
user_pref("", true); // Firefox>= 52

// PREF: Disable WebRTC getUserMedia, screen sharing, audio capture, video capture
user_pref("media.navigator.enabled", false);
user_pref("", false);
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.getusermedia.audiocapture.enabled", false);

// PREF: Disable battery API (Firefox< 52)
user_pref("dom.battery.enabled", false);

// PREF: Disable telephony API
user_pref("dom.telephony.enabled", false);

// PREF: Disable "beacon" asynchronous HTTP transfers (used for analytics)
user_pref("beacon.enabled", false);

// PREF: Disable clipboard event detection (onCut/onCopy/onPaste) via Javascript
// NOTICE: Disabling clipboard events breaks Ctrl+C/X/V copy/cut/paste functionaility in JS-based web applications (Google Docs...)
user_pref("dom.event.clipboardevents.enabled", false);

// PREF: Disable "copy to clipboard" functionality via Javascript (Firefox>= 41)
// NOTICE: Disabling clipboard operations will break legitimate JS-based "copy to clipboard" functionality
user_pref("dom.allow_cut_copy", false);

// PREF: Disable speech recognition
user_pref("media.webspeech.recognition.enable", false);

// PREF: Disable speech synthesis
user_pref("media.webspeech.synth.enabled", false);

// PREF: Disable sensor API
user_pref("device.sensors.enabled", false);

// PREF: Disable pinging URIs specified in HTML< ping= attributes
user_pref("browser.send_pings", false);

// PREF: When browser pings are enabled, only allow pinging the same host as the origin page
user_pref("browser.send_pings.require_same_host", true);

// PREF: Disable IndexedDB (disabled)
// NOTICE-DISABLED: IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled
user_pref("dom.indexedDB.enabled", false);

// TODO: "Access Your Location" "Maintain Offline Storage" "Show Notifications"

// PREF: Disable gamepad API to prevent USB device enumeration
user_pref("dom.gamepad.enabled", false);

// PREF: Disable virtual reality devices APIs
user_pref("dom.vr.enabled", false);

// PREF: Disable vibrator API
user_pref("dom.vibrator.enabled", false);

// PREF: Disable resource timing API
user_pref("dom.enable_resource_timing", false);

// PREF: Disable Archive API (Firefox< 54)
user_pref("dom.archivereader.enabled", false);

// PREF: Disable webGL
user_pref("webgl.disabled", true);
// PREF: When webGL is enabled, use the minimum capability mode
user_pref("webgl.min_capability_mode", true);
// PREF: When webGL is enabled, disable webGL extensions
user_pref("webgl.disable-extensions", true);
// PREF: When webGL is enabled, force enabling it even when layer acceleration is not supported
user_pref("webgl.disable-fail-if-major-performance-caveat", true);
// PREF: When webGL is enabled, do not expose information about the graphics driver
user_pref("webgl.enable-debug-renderer-info", false);
// somewhat related...
user_pref("pdfjs.enableWebGL", false);

// PREF: Spoof dual-core CPU
user_pref("dom.maxHardwareConcurrency", 2);

* SECTION: Misc *

// PREF: Disable face detection
user_pref("camera.control.face_detection.enabled", false);

// PREF: Set the default search engine to DuckDuckGo (disabled)
user_pref("", "Wikipedia (en)");
user_pref("", "");
user_pref("keyword.URL", "");

// PREF: Disable GeoIP lookup on your address to set default search engine region
user_pref("", "US");
user_pref("", "US");
user_pref("", "");

// PREF: Set Accept-Language HTTP header to en-US regardless of Firefox localization
user_pref("intl.accept_languages", "en-US");
user_pref("intl.charset.fallback.override", "UTF-8");

// PREF: Don´t use OS values to determine locale, force using Firefox locale setting
user_pref("intl.locale.matchOS", false);

// PREF: Don´t use Mozilla-provided location-specific search engines
user_pref("", false);

// PREF: Do not automatically send selection to clipboard on some Linux platforms
user_pref("clipboard.autocopy", false);

// PREF: Prevent leaking application locale/date format using JavaScript
user_pref("javascript.use_us_english_locale", true);

// PREF: Do not submit invalid URIs entered in the address bar to the default search engine
user_pref("keyword.enabled", false);

// PREF: Don´t trim HTTP off of URLs in the address bar.
// Big change for Firefox: Mozilla-Browser eliminates part of the URL (if set to true)
user_pref("browser.urlbar.trimURLs", false);

// PREF: Don´t try to guess domain names when entering an invalid domain name in URL bar
user_pref("browser.fixup.alternate.enabled", false);

// PREF: When browser.fixup.alternate.enabled is enabled, strip password from ´user:password@...´ URLs
user_pref("browser.fixup.hide_user_pass", true);

// PREF: Send DNS request through SOCKS when SOCKS proxying is in use
//user_pref("NETWORK.PROXY.SOCKS_REMOTE_DNS", false);

// PREF: Don´t monitor OS online/offline connection state
user_pref("network.manage-offline-status", false);

// PREF: Enforce Mixed Active Content Blocking
user_pref("security.mixed_content.block_active_content", true);

// PREF: Enforce Mixed Passive Content blocking (a.k.a. Mixed Display Content)
// NOTICE: Enabling Mixed Display Content blocking can prevent images/styles... from loading properly when connection to the website is only partially secured
user_pref("security.mixed_content.block_display_content", false);

// PREF: Disable JAR from opening Unsafe File Types
// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.7
user_pref("", false);

// CIS 2.7.4 Disable Scripting of Plugins by JavaScript
user_pref("security.xpconnect.plugin.unrestricted", false);

// PREF: Set File URI Origin Policy
// CIS Mozilla Firefox 24 ESR v1.0.0 - 3.8
user_pref("security.fileuri.strict_origin_policy", true);

// PREF: Disable Displaying Javascript in History URLs
// CIS 2.3.6
user_pref("browser.urlbar.filter.javascript", true);

// PREF: Disable asm.js
user_pref("javascript.options.asmjs", false);

// PREF: Disable SVG in OpenType fonts
user_pref("gfx.font_rendering.opentype_svg.enabled", false);

// PREF: Disable in-content SVG rendering (Firefox>= 53)
// NOTICE: Disabling SVG support breaks many UI elements on many sites
user_pref("svg.disabled", false);

// PREF: Disable video stats to reduce fingerprinting threat
user_pref("media.video_stats.enabled", false);

// PREF: Don´t reveal build ID
// Value taken from Tor Browser
user_pref("general.buildID.override", "20100101");
user_pref("browser.startup.homepage_override.buildID", "20100101");

// PREF: Prevent font fingerprinting

//One more detailed listing:
user_pref("app.update.staging.enabled", false);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.pbmode.enabled", true);
user_pref("browser.send_pings", false);
user_pref("browser.send_pings.require_same_host", true);
user_pref("browser.sessionstore.max_tabs_undo", 0);
user_pref("browser.sessionstore.max_windows_undo", 0);
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
user_pref("security.pki.sha1_enforcement_level", 1);
user_pref("security.mixed_content.send_hsts_priming", false);
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.deps", false);
// 2615: disable http2 for now as well
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.proxy.socks_remote_dns", true);
// 2666: disable HTTP Alternative Services
user_pref("network.http.altsvc.enabled", false);
user_pref("network.http.altsvc.oe", false);
user_pref("", false);

// from
user_pref("", 1);
user_pref("webgl.enable-webgl2", false);
user_pref("webgl.disable-wgl", true);
user_pref("browser.sessionhistory.max_entries", 3);
user_pref("", 126);
user_pref("", 2560);
user_pref("", 22);
user_pref("", 6000);
user_pref("media.ffmpeg.low-latency.enabled", true);
// Reduce CPU Utilization
// this few settings can reduce the cpu utilization and speeding up web contents.
user_pref("layout.frame_rate", 20);
user_pref("gfx.direct2d.disabled", false);
user_pref("gfx.direct2d.force-enabled", true);
user_pref("layers.prefer-opengl", true);
// from
// Information about installed fonts can be read out by Javascript, flash or Java and further on get used
// for individual fingerprinting of the browser.

user_pref("browser.display.use_document_fonts", 0);
user_pref("font.blacklist.underline_offset", "");
user_pref("javascript.options.wasm", false);
user_pref("javascript.options.wasm_baselinejit", false);
// from
user_pref("browser.display.use_document_fonts", 0);

user_pref("gfx.downloadable_fonts.enabled", false);
user_pref("gfx.downloadable_fonts.woff2.enabled", false);
user_pref("layout.css.font-loading-api.enabled", false);
user_pref("gfx.downloadable_fonts.disable_cache", true);